remcos | 20701de6f04af2b8b6cc7d7e1eb4052e3d14d1c9d13f51fc660fde5f41dd0f3d

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe
Size

1.3MB
MD5

e629776542b7701a14fa78b3acaf9cb6
SHA1

1cb7893cbd897a359b3cd09982197c3550a9378d
SHA256

20701de6f04af2b8b6cc7d7e1eb4052e3d14d1c9d13f51fc660fde5f41dd0f3d
SHA512

36f237508a1a60e0c0eaefd985db3abcac6e3ecc29223047fcc7e8b6e9497ed87505e1a7edb9b323c12fbe95f35436a08adbbcb48650d4f97159235315b7a11e
SSDEEP

24576:1EzlJPpfwPKdmNyOOiKmXXueG9PSi2Z4h0pZB5v31rIyOlIM+mvw:SPOBNkQeDuaYp3Oy3m4

Score

10^/10

remcos agosto 09 discovery rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

AGOSTO 09

tecnorin.tecnorin.com:5165

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
currisllt
keylog_path
%AppData%
mouse_option
false
mutex
harbilidtgd-E53BNY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LearnRoadside32	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe
File created	C:\Windows\Tasks\e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.job	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe
11536	notepad.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
11536	notepad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5976	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83
PID 412 wrote to memory of 11536	412	e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e629776542b7701a14fa78b3acaf9cb6_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:11536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\currisllt\logs.dat

Filesize
74B

MD5
27a499b99bcd0c9da68e88b306b54264

SHA1
2ad5a0167e505a778be5eefc75f3a4d8d75444c9

SHA256
052504c8116390d9f58d5324820a7cc7e8b347f816050d55bc7680d0e1120463

SHA512
3d41688dca49bc42d9872f5f033c5daf341749f7ad40e257b86577643f9c7c8a45a26571ed43d433e338ed1e988a1158fa3f113a128a701a08868b7eeb65d214

Download Submit
C:\Windows\LearnRoadside32

Filesize
40B

MD5
29b76c547e7d89d2c58e445ee652f19e

SHA1
0b4e77188f2e61f823cca54aea29dbba769869c6

SHA256
0c1b5e4f3273697cba5826970bfdbbdd13c5b69084d37cdcc24d13367b5773a2

SHA512
0c4a449ae497010875e3a24d84eaa21b8414bdd6083a1bf25f3c64d47e8550eb3e8d20f48c1e10ac11de857c7925141bb32dd1309b71883c6f1075ac021f7dcf

Download Submit
memory/412-0-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/412-32356-0x0000000000541000-0x000000000054B000-memory.dmp

Filesize
40KB

Download
memory/412-32358-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/412-32359-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/412-32360-0x0000000000541000-0x000000000054B000-memory.dmp

Filesize
40KB

Download
memory/5976-32364-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5976-32368-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5976-32371-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/11536-32357-0x0000000000C00000-0x0000000000C02000-memory.dmp

Filesize
8KB

Download
memory/11536-32362-0x0000000004B60000-0x0000000004B98000-memory.dmp

Filesize
224KB

Download