remcos | b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5b

General

Target

b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe
Size

1.0MB
MD5

4dde298c36c37c3f07c7bf65213c2f50
SHA1

c7655d68e8437df0638c8af818830fb767e05872
SHA256

b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5b
SHA512

6f416bb005ad5df0cdce3125aa2f0eca01e88b8909c0c1695cb369b1b8a3eefeaf3f7c3895b4c1a211e5856bd317e6a9419c10e6f5cb2ffe2869d9ce8e47d170
SSDEEP

12288:SfeDOa9rDeYSorINpj5XqkJD0QrOod7XxlW91RRep+rgRNyA55IxJ2DJW//oK1:xD39v74lfGQrFUspugRNJI2DJW//oe

Score

10^/10

remcos host discovery persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 2 IoCs

pid	Process
2300	sbietrcl.exe
980	sbietrcl.exe

Loads dropped DLL 1 IoCs

pid	Process
2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 980	2300	sbietrcl.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbietrcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbietrcl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe
2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe
2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe
2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe
2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe
2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe
2300	sbietrcl.exe
2300	sbietrcl.exe
2300	sbietrcl.exe
2300	sbietrcl.exe
2300	sbietrcl.exe
2300	sbietrcl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe
Token: SeDebugPrivilege	2300	sbietrcl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
980	sbietrcl.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2300	2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe	28
PID 2892 wrote to memory of 2300	2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe	28
PID 2892 wrote to memory of 2300	2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe	28
PID 2892 wrote to memory of 2300	2892	b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe	28
PID 2300 wrote to memory of 980	2300	sbietrcl.exe	29
PID 2300 wrote to memory of 980	2300	sbietrcl.exe	29
PID 2300 wrote to memory of 980	2300	sbietrcl.exe	29
PID 2300 wrote to memory of 980	2300	sbietrcl.exe	29
PID 2300 wrote to memory of 980	2300	sbietrcl.exe	29
PID 2300 wrote to memory of 980	2300	sbietrcl.exe	29
PID 2300 wrote to memory of 980	2300	sbietrcl.exe	29
PID 2300 wrote to memory of 980	2300	sbietrcl.exe	29
PID 2300 wrote to memory of 980	2300	sbietrcl.exe	29
PID 2300 wrote to memory of 980	2300	sbietrcl.exe	29

C:\Users\Admin\AppData\Local\Temp\b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe
"C:\Users\Admin\AppData\Local\Temp\b3fa7c61b863e682a33b8f9059dd567a189f339ea94bf5aa96aeb3ab99e0bd5bN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65982e22f569254a9009ed04f2739b5a

SHA1
7a2780d91df53349110d1f19851b9c54ddf14ca9

SHA256
896d8b820d4358d9a88ea6fc2ced4dbaf3ee4427903ab31a7c168e8e3d392976

SHA512
410f9283744abaddc6c00a661a2dcf83c5845cd14ca23914b98144cd6daac7a0c6a25d04da5384e739c54d9c1127ea99d89a59ec51b5be69e8a7f4e6956b5dd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18b880ee4aacd7b3df53dc9745a479fa

SHA1
8113e29e746e404c921a391028e0034cb0d19fd3

SHA256
78a3050a70a4bd8750158df528cd358cd28b21b2b5762619f95dd1b92ca6e788

SHA512
ab80003fa13bd16e9bef4b4992f576957b093a3fb555c45218a6d68f0a30b724f78f588fb0ce1626a0fa72443ba2d0132f9cd2b93fdb57195f9cb382f5fe1431

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA095.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA0B7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Filesize
1.0MB

MD5
2d66a0d06e75dfe9985ca745394e3e50

SHA1
b5d9622a1f3d236b79f7fed80a874f69af62c081

SHA256
a9131356bf4bd42c5c57ed6e4183c26bde3298cb2f538ef087decd4dbd623d59

SHA512
33cb5430b241e4bb86dc5501b5ed9dafd58f2ff2c4c80c2b3bb3a88a502ae5d6b463952c6fab2c2312b50bf646d22b9fcc02a2adfb5bfb5e78bc76f17df8d537

Download Submit
memory/980-200-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-204-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-217-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-212-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-215-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-211-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-202-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-198-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-208-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/980-209-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-206-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2300-187-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2300-216-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2892-1-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2892-0-0x0000000074531000-0x0000000074532000-memory.dmp

Filesize
4KB

Download
memory/2892-167-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2892-186-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2892-166-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2892-179-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads