remcos | 30fb134992208f5e411d9586d20c4de6eaf18799a898c88ffbea4ae4584fb309

General

Target

c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe
Size

599KB
MD5

bb662e82e04ac3c7866cba446c15ccae
SHA1

1b90f8f280d5d90c771aa0afe393b29c4ab8e2c1
SHA256

c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738
SHA512

444aae4807df3be896177f1b039196387cdd9024b3f8051af7fb1ef9918ec7a9c9446c478f45f9fc8df2c0f6479807c68a612ef9e14ed521d615337efd4372d4
SSDEEP

12288:8oIzAxAjLyVG/QGlGwqC5/3z3P4I3xJRKY:EExM+8IGlThD33xjKY

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

wealthambassador.ddns.net:39450

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-S77937
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 2 IoCs

pid	Process
2228	ftmpfyzcha.exe
2796	ftmpfyzcha.exe

Loads dropped DLL 5 IoCs

pid	Process
2264	c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe
2228	ftmpfyzcha.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	2796	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftmpfyzcha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftmpfyzcha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2228	2264	c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe	30
PID 2264 wrote to memory of 2228	2264	c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe	30
PID 2264 wrote to memory of 2228	2264	c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe	30
PID 2264 wrote to memory of 2228	2264	c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe	30
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2228 wrote to memory of 2796	2228	ftmpfyzcha.exe	31
PID 2796 wrote to memory of 2744	2796	ftmpfyzcha.exe	32
PID 2796 wrote to memory of 2744	2796	ftmpfyzcha.exe	32
PID 2796 wrote to memory of 2744	2796	ftmpfyzcha.exe	32
PID 2796 wrote to memory of 2744	2796	ftmpfyzcha.exe	32

C:\Users\Admin\AppData\Local\Temp\c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe
"C:\Users\Admin\AppData\Local\Temp\c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\ftmpfyzcha.exe
  C:\Users\Admin\AppData\Local\Temp\ftmpfyzcha.exe C:\Users\Admin\AppData\Local\Temp\pljgbgh
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\ftmpfyzcha.exe
    C:\Users\Admin\AppData\Local\Temp\ftmpfyzcha.exe C:\Users\Admin\AppData\Local\Temp\pljgbgh
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 172
      4⤵
      Loads dropped DLL
      Program crash
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\m8d9k2oc4ffztya

Filesize
462KB

MD5
2d288c29676ae66ffae121dab04e267d

SHA1
51cefe6b2715121794f990a4e5b0aec973140c68

SHA256
eae3e3166360095f851fc86e75e0362480e074f5eec018b162b2a9d0bcf056d8

SHA512
856d8af061031903d13578c7a80eed7823990dc6ed8b380bb28f27a170a1e189a9797a5f21bda325615e03291cb7612331c79b854d30d1d477608c85e340ea85

Download Submit
C:\Users\Admin\AppData\Local\Temp\pljgbgh

Filesize
4KB

MD5
74ee06cabba0d6e1675902e0af0ec31c

SHA1
6067f4c9666b63d10e9a65ab3ef585cb97f299d2

SHA256
264b82538bae28bde288f11d50801d5c721470c9e57e0355acf7ecd33bba26da

SHA512
c4514b0c028b5744965157fc15b9a777018934db938e92ca8e9dfe4473733671fdad200acd01f91c47d91be02faff334eb9ddbd61e5006b987a28922ef5ba39e

Download Submit
\Users\Admin\AppData\Local\Temp\ftmpfyzcha.exe

Filesize
120KB

MD5
0b9c734942a35a6960bb3222a2aa3e47

SHA1
31edcd3b02af420e4b25a3eba0f77ea820d13e75

SHA256
f9ed31df479d80626e3834b0d9d11b5e2815b6704973736f324c055c99a6adcf

SHA512
e880062dd3de2a18566e47d279b67af82abf88d52380e55c8a43a20cae90f1f9b1a99bba67df40cc5d6578bb3729c43a8fd48d8fd8531c131d95a55cfc262c5d

Download Submit
memory/2228-9-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/2796-12-0x00000000000C0000-0x000000000013A000-memory.dmp

Filesize
488KB

Download
memory/2796-24-0x00000000000C0000-0x000000000013A000-memory.dmp

Filesize
488KB

Download
memory/2796-19-0x00000000000C0000-0x000000000013A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing