remcos | a9fc803f335632186421fa99723dcf6025f6dc29c1bc6f2a36ee2d120920a842

General

Target

9073782912,pdf.exe
Size

362KB
MD5

a7fcbd96b8a0db116079de4ea0e996d6
SHA1

890e3cc679fbd6e7ab63153e19d3cadfedd6cee0
SHA256

173c70809b04f14f357dde36d17bd02b075dcfdecf0e8cc5c69fb4266e452bb7
SHA512

e9cba770b543daf9c90e856a476aac1c44ea6f892b62ae31ea7c9fb565f7f7f4cee8ef430cf8fa8bd3b995b5a15af063b53d0e963d4c7630111ca37674547b9f
SSDEEP

6144:QBlL/UyTeiB0PJo3zzj9XJkhtXyofdY4Z2M7b2Y2TTzp1K:iDnfj9XmLJbZ2M7b27jK

Score

10^/10

remcos new discovery rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

NEW

C2

insidelife1.ddns.net:2123

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-FXFW4N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Loads dropped DLL 1 IoCs

pid	Process
1712	9073782912,pdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 1176	1712	9073782912,pdf.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9073782912,pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9073782912,pdf.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1712	9073782912,pdf.exe
1712	9073782912,pdf.exe
1712	9073782912,pdf.exe
1712	9073782912,pdf.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1712	9073782912,pdf.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1176	1712	9073782912,pdf.exe	31
PID 1712 wrote to memory of 1176	1712	9073782912,pdf.exe	31
PID 1712 wrote to memory of 1176	1712	9073782912,pdf.exe	31
PID 1712 wrote to memory of 1176	1712	9073782912,pdf.exe	31
PID 1712 wrote to memory of 1176	1712	9073782912,pdf.exe	31

C:\Users\Admin\AppData\Local\Temp\9073782912,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\9073782912,pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\9073782912,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\9073782912,pdf.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstE264.tmp\c163.dll

Filesize
149KB

MD5
ff92e869d01daa3746d2cec2646ad093

SHA1
8550d250841652780bc92379fadf5a39244bc64e

SHA256
af33fde8b5a9f218f92278d6c1c17e91624242262fa65e9a770fb81b14b42bb4

SHA512
9899011426347267a98ca13c5dda0f20a3d9976e33c0be4aa21d4bfc656d094088403bf9cfb6f443efb4b24748b207a6af0f723bebfc7209baff334cdba16cdb

Download Submit
memory/1176-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-54-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-52-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-33-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-35-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-42-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-43-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-45-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-46-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-48-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-49-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-51-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1712-5-0x0000000074EE0000-0x0000000074EEB000-memory.dmp

Filesize
44KB

Download
memory/1712-9-0x0000000074EE0000-0x0000000074EEB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing