remcos | ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe
Size

300.0MB
MD5

576e2763bd4204a46369088e7a09505a
SHA1

48c41638957a2eabec298ef6ecd1d85de6d92f95
SHA256

ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b
SHA512

7b04d4dc15184040508c39e81f1ddc821eb88c6f24c5d990a67a0aa3ee443156ee8105afe3fedf74f4aa07735fe3efb1b6f828964b0e27c82efbb2a7b91914e4
SSDEEP

12288:f1jsCAqYw8N6RFEGf7iW1HXSIE2GwcA4DTqw5mO8CkfnU8GP:djs3qP8NAEGf51HX51cA4fKfU8GP

Score

10^/10

remcos 7-5-22 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

7-5-22

playstachon.duckdns.org:30288

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
NGINX
keylog_path
%AppData%
mouse_option
false
mutex
xpsie6w@>-H4T1EN
screenshot_crypt
true
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
paytrace;globalgateway;firstdata;shopify;chase

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 2 IoCs

pid	Process
4308	lpoef.exe
2252	lpoef.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 4308 set thread context of 4432	4308	lpoef.exe	106

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2932	5000	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lpoef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lpoef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
432	schtasks.exe
4848	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4432	RegAsm.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 4300	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	90
PID 2388 wrote to memory of 4300	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	90
PID 2388 wrote to memory of 4300	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	90
PID 4300 wrote to memory of 432	4300	cmd.exe	92
PID 4300 wrote to memory of 432	4300	cmd.exe	92
PID 4300 wrote to memory of 432	4300	cmd.exe	92
PID 2388 wrote to memory of 3348	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	93
PID 2388 wrote to memory of 3348	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	93
PID 2388 wrote to memory of 3348	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	93
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 2388 wrote to memory of 5000	2388	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	95
PID 4308 wrote to memory of 1036	4308	lpoef.exe	101
PID 4308 wrote to memory of 1036	4308	lpoef.exe	101
PID 4308 wrote to memory of 1036	4308	lpoef.exe	101
PID 1036 wrote to memory of 4848	1036	cmd.exe	103
PID 1036 wrote to memory of 4848	1036	cmd.exe	103
PID 1036 wrote to memory of 4848	1036	cmd.exe	103
PID 4308 wrote to memory of 3252	4308	lpoef.exe	104
PID 4308 wrote to memory of 3252	4308	lpoef.exe	104
PID 4308 wrote to memory of 3252	4308	lpoef.exe	104
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106
PID 4308 wrote to memory of 4432	4308	lpoef.exe	106

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\lpoef.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\lpoef.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe" "C:\Users\Admin\AppData\Roaming\lpoef.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 636
    3⤵
    - Program crash
    PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5000 -ip 5000
1⤵
PID:3716

C:\Users\Admin\AppData\Roaming\lpoef.exe
C:\Users\Admin\AppData\Roaming\lpoef.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\lpoef.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\lpoef.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\lpoef.exe" "C:\Users\Admin\AppData\Roaming\lpoef.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4432

C:\Users\Admin\AppData\Roaming\lpoef.exe
C:\Users\Admin\AppData\Roaming\lpoef.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lpoef.exe.log

Filesize
520B

MD5
41c37de2b4598f7759f865817dba5f80

SHA1
884ccf344bc2dd409425dc5ace0fd909a5f8cce4

SHA256
427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc

SHA512
a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd

Download Submit
memory/2388-1-0x00000000008E0000-0x000000000098A000-memory.dmp

Filesize
680KB

Download
memory/2388-2-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2388-3-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2388-4-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2388-5-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/2388-20-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2388-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/4308-25-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4308-36-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4308-26-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4432-32-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4432-29-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4432-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4432-37-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4432-38-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4432-41-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4432-42-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5000-22-0x0000000000610000-0x000000000068B000-memory.dmp

Filesize
492KB

Download
memory/5000-21-0x0000000000610000-0x000000000068B000-memory.dmp

Filesize
492KB

Download
memory/5000-10-0x0000000000610000-0x000000000068B000-memory.dmp

Filesize
492KB

Download
memory/5000-15-0x0000000000610000-0x000000000068B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads