remcos | 20701de6f04af2b8b6cc7d7e1eb4052e3d14d1c9d13f51fc660fde5f41dd0f3d

Analysis

max time kernel
149s
max time network
133s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe
Size

1.3MB
MD5

e629776542b7701a14fa78b3acaf9cb6
SHA1

1cb7893cbd897a359b3cd09982197c3550a9378d
SHA256

20701de6f04af2b8b6cc7d7e1eb4052e3d14d1c9d13f51fc660fde5f41dd0f3d
SHA512

36f237508a1a60e0c0eaefd985db3abcac6e3ecc29223047fcc7e8b6e9497ed87505e1a7edb9b323c12fbe95f35436a08adbbcb48650d4f97159235315b7a11e
SSDEEP

24576:1EzlJPpfwPKdmNyOOiKmXXueG9PSi2Z4h0pZB5v31rIyOlIM+mvw:SPOBNkQeDuaYp3Oy3m4

Score

10^/10

remcos agosto 09 discovery rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

AGOSTO 09

tecnorin.tecnorin.com:5165

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
currisllt
keylog_path
%AppData%
mouse_option
false
mutex
harbilidtgd-E53BNY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LearnRoadside32	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe
File created	C:\Windows\Tasks\e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.job	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe
1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe
21204	notepad.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
21204	notepad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5836	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 21204	1732	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	30
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32
PID 21204 wrote to memory of 5836	21204	notepad.exe	32

C:\Users\Admin\AppData\Local\Temp\e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:21204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\currisllt\logs.dat

Filesize
74B

MD5
b3eaacee0b77b65e4c6c56e1e86ebe1b

SHA1
af4704c541258f5d95ebabdae0082bc3df451725

SHA256
cc41acf27b5d427288502be21cc23953626a927f26845e93977f4b74cc37a6b5

SHA512
0501a30998242bf25d538264b46de34608bbe56bc84eef3a0df9ca1de591f7e110b385552f68c7f5fdc094d2db64d8aac89029d3e4d7c3d8c9edbb1e3912dbb7

Download Submit
memory/1732-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1732-32356-0x0000000000541000-0x000000000054B000-memory.dmp

Filesize
40KB

Download
memory/1732-32358-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/1732-32359-0x0000000000541000-0x000000000054B000-memory.dmp

Filesize
40KB

Download
memory/5836-32364-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5836-32365-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5836-32366-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/5836-32371-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5836-32372-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5836-32375-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5836-32377-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/21204-32363-0x0000000004360000-0x0000000004398000-memory.dmp

Filesize
224KB

Download
memory/21204-32362-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/21204-32367-0x0000000004360000-0x0000000004398000-memory.dmp

Filesize
224KB

Download
memory/21204-32357-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download