remcos | 50915f0f6260856a025536f2e78c82d605e522d7051600545ab94f887bf4cfc5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe
Size

2.5MB
MD5

fb4fb518905944d8d40f97c13a1a5578
SHA1

87791ebc36c32c5623dae7e32c375d39cb7abcd3
SHA256

50915f0f6260856a025536f2e78c82d605e522d7051600545ab94f887bf4cfc5
SHA512

07dd64fbe898dd173f19b93d29876e0ea294bdfda2d4a15e4366efbf5b15a967f1fed48860e51f1fb49d8183486c38b18ec797f21dba5e280b9bb0818ce12aee
SSDEEP

49152:t848Edrt/PRv5ytQzhEP8aebD0KkslOcSDnYrPg3CvH7QDAYDvzs/3ffwva+f:t26p/phyueP8aebDQiOcSYzgx7zifZ+f

Score

10^/10

remcos discovery rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 1 IoCs

pid	Process
2572	remcos_a.vmp.exe

Loads dropped DLL 4 IoCs

pid	Process
236	fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe
236	fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe
236	fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe
236	fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2752	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2752	DllHost.exe
2752	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 2572	236	fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe	30
PID 236 wrote to memory of 2572	236	fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe	30
PID 236 wrote to memory of 2572	236	fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe	30
PID 236 wrote to memory of 2572	236	fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb4fb518905944d8d40f97c13a1a5578_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\AppData\Local\Temp\remcos_a.vmp.exe
  "C:\Users\Admin\AppData\Local\Temp\remcos_a.vmp.exe"
  2⤵
  - Executes dropped EXE
  PID:2572

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\emrah31.png

Filesize
1.3MB

MD5
45d7cecbc87f6d7a9547bd0513cb9d8e

SHA1
810167c0361517153f4d37fcaaad7f05b6003b59

SHA256
86583092f2359d082f2097bd84f836d3448d687ec5ae54726383d6665d8b1790

SHA512
960d215c98c068c3e13cd0afb04e2121e48366232c8291f7c4be2647efbb8e06c64e6dd2c35aa884e5ab387c7b035212123dec8666bf45eb4fc21956249546fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos_a.vmp.exe

Filesize
923KB

MD5
f3314fc93173aa9f577d660772740ec2

SHA1
2a40e34b13dce2c06047e510d61cb8074d30e683

SHA256
be495cf2dcb879d5e867a0b744cf040ab55a4338a18c1f6a012c2450d5a57799

SHA512
decb8a5b77a1fedad692013e6ef3608094baba5e0b9d71cba7faafddeb8707dfddd524ef6639c57deb0cfc9254b63077bfae9de0c66fc7b599070b50dd35369a

Download Submit
memory/236-21-0x00000000021F0000-0x00000000021F2000-memory.dmp

Filesize
8KB

Download
memory/2572-19-0x0000000000467000-0x0000000000576000-memory.dmp

Filesize
1.1MB

Download
memory/2572-20-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/2572-24-0x0000000000467000-0x0000000000576000-memory.dmp

Filesize
1.1MB

Download
memory/2572-25-0x0000000000467000-0x0000000000576000-memory.dmp

Filesize
1.1MB

Download
memory/2572-26-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/2752-22-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download