remcos | f566a50594b589b0927a5c40b2d381945a1c90799d6ad7e9c2ce7bc75d09a778

General

Target

7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
Size

945KB
MD5

97dbc44370eaaa9f03b0a49214740b0c
SHA1

e49d9ea0e7380f49904e41c2a48ef0f2bcecd6ba
SHA256

7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631
SHA512

2ddcd33620230fabc1a1ed2915c3f74dcfbfaf21c96af6d6359b99596dab655b14ebbe474d9c9b22aa167ffc16eb07effbf5ecabf2bb3a92f2019acfcfe4f190
SSDEEP

24576:TcpPlcL6NZ/qpYGVsIHpY4hVj1ak+gMkFqufX:EPlcLq/qpsINDjgMbFR

Score

10^/10

remcos client discovery rat

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

Client

C2

jokerwe.duckdns.org:45131

thegatorway.com:58764

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
start.exe
copy_folder
start
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
AV
keylog_path
%AppData%
mouse_option
false
mutex
-JTORVC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
25
startup_value
start
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2952	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2844	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	31
PID 2180 wrote to memory of 2844	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	31
PID 2180 wrote to memory of 2844	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	31
PID 2180 wrote to memory of 2844	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	31
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33
PID 2180 wrote to memory of 2952	2180	7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe	33

C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
"C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YgBIwxYcZP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp865F.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
  "C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp865F.tmp

Filesize
1KB

MD5
c9e7b98a3243b353a6c13ac20e9bd204

SHA1
68cec3f963afabf816f04800ad8b8d467073c530

SHA256
4d1f09a7509b695da4cc7329c358e06d9b8b534e7641732ec8e048ccc536c7ca

SHA512
1740ed370c8e58479d018cc9f0ff85122b1cc26eae6a707903d5bbc944fbb3de69f1cb76e166fd220b8c51950944b12baf0b2b3e4a709cf18655154763cc87cb

Download Submit
C:\Users\Admin\AppData\Roaming\AV\logs.dat

Filesize
148B

MD5
3ba242fc9359f44543e4155299f57d3c

SHA1
567323c1de761601d90e3a36ef2b711fb273a217

SHA256
f3a3e93f82c69c4aae95d50e92ea677f227fea99a206998ec2e857cf9573124d

SHA512
b9bb3bb8b16403aa57e76741006c577b1b8164dd803fada8a2d511407b6a3fa087356b7921858bf931a92ca9cf0df11bcb7d96d1521fe069a9dc06fb60333573

Download Submit
memory/2180-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x0000000000280000-0x0000000000372000-memory.dmp

Filesize
968KB

Download
memory/2180-2-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-3-0x0000000000440000-0x0000000000454000-memory.dmp

Filesize
80KB

Download
memory/2180-4-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2180-5-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-6-0x0000000005720000-0x00000000057D2000-memory.dmp

Filesize
712KB

Download
memory/2180-7-0x0000000004E90000-0x0000000004F1C000-memory.dmp

Filesize
560KB

Download
memory/2180-37-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-33-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-30-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2952-26-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-24-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-22-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-20-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-18-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-16-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-15-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-36-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-13-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads