remcos | c06a6c292aecf86af2feaaa4c13a4ce305c04a37823daf76dda71e9e790507d3

General

Target

build2.exe
Size

1.4MB
MD5

35f21b7e89b981c7a83a2fa5c834d154
SHA1

5eb4dd6d3e659360c48d1c34ba16d29244cfca1e
SHA256

c06a6c292aecf86af2feaaa4c13a4ce305c04a37823daf76dda71e9e790507d3
SHA512

ff034daf566d5675c05ae86441c96119df66183d005628cae1a002b361694b76bc9cacbfb243001d0cf37ad3b95c135945d7c4626ec12f382fac7e91cc6b9fae
SSDEEP

24576:xmI7etHLvLEh0UzA2NfTNTrStsycFWO0EWqTMSay7ty8g9In1rY:/6tXEh0UzA2NfTNTrSts9W+WRRytg9Ia

Score

10^/10

remcos pantalla discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

pantalla

C2

oportunidad-escolombiasegura.cfd:3020

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
registro
mouse_option
false
mutex
ljblwjdblhaqoiencvmz-UC819L
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

build2.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation build2.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

3572 WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	build2.exe

pid	process
3572	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

build2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuickTextPaste = "C:\\Users\\Admin\\Pictures\\QuickTextPaste\\Bin\\QuickTextPaste.exe"	build2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

build2.exebuild2.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

Processes:

build2.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings build2.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

build2.exe

pid process

4280 build2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	build2.exe

pid	process
4280	build2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

build2.exebuild2.exe

description	pid	process	target process
PID 1128 wrote to memory of 4280	1128	build2.exe	build2.exe
PID 1128 wrote to memory of 4280	1128	build2.exe	build2.exe
PID 1128 wrote to memory of 4280	1128	build2.exe	build2.exe
PID 1128 wrote to memory of 4280	1128	build2.exe	build2.exe
PID 1128 wrote to memory of 4280	1128	build2.exe	build2.exe
PID 4280 wrote to memory of 3572	4280	build2.exe	WScript.exe
PID 4280 wrote to memory of 3572	4280	build2.exe	WScript.exe
PID 4280 wrote to memory of 3572	4280	build2.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\build2.exe
"C:\Users\Admin\AppData\Local\Temp\build2.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\build2.exe
  "C:\Users\Admin\AppData\Local\Temp\build2.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mwrtniitepcrbjrx.vbs"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\registro\registros.dat

Filesize
184B

MD5
7561a5b37d1121850705afb5670216a8

SHA1
7b3107fac9340dbecc9d2aec24d4c0bbe3796c3c

SHA256
f69f57a283a99f986876096639bf034683a5628bc0d4e82b562b37e4e6112e8e

SHA512
a031bdb8557c9f762b0462b8a46be42be8eb10e73acc5361d93bc59bd8795db02627cd25376cae9671ce79585920338795dfef111349c770b70eff7a60fbc7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwrtniitepcrbjrx.vbs

Filesize
496B

MD5
149839e8d3349a47a87e24b150499993

SHA1
38496bb13f3ceb4aa354f1d48b78975ff056cda9

SHA256
c546907460074ea4154b69b135430d65777869d3364465469115752c17abdeea

SHA512
ac58ceed8b9d75d0efa799c34a877b7de309bbfca955106356349f9a575be430eb50f3da2ef3c98d93484ce8239561f2c331448faa5859bf6b38e63c4a5c9534

Download Submit
memory/1128-7-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/1128-0-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/1128-4-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/1128-6-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/1128-2-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/1128-12-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/1128-11-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/1128-26-0x0000000000407000-0x0000000000420000-memory.dmp

Filesize
100KB

Download
memory/1128-1-0x0000000000407000-0x0000000000420000-memory.dmp

Filesize
100KB

Download
memory/4280-20-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/4280-14-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-19-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-15-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-21-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-22-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-23-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-25-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-18-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-8-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-33-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-34-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-41-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-42-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-45-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-50-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-51-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download
memory/4280-13-0x00000000005A0000-0x000000000061F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads