remcos | d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877

General

Target

d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe
Size

1.3MB
MD5

5f38edf8c588efd365f6c82c92d5f0f6
SHA1

6f8ec411858b7410a22401f6c9d6a2a5c45aaa9b
SHA256

d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877
SHA512

7bc7886d3c81421d6d9cdc1cf4ee3af5fea572de578fbc8c42509129b37716de7552e3147a3ac84261c463fe79fb60511eff18d45c3bc3d411905c22389028ef
SSDEEP

24576:Cu6J33O0c+JY5UZ+XC0kGso6FapubMGC8db/ZOid2MNTosdIIDnWY:ku0c++OCvkGs9FapCX0yTnyY

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.64.152:2559

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZFXG9Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs	derogates.exe

Executes dropped EXE 1 IoCs

pid	Process
4316	derogates.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023b73-9.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4316 set thread context of 3568	4316	derogates.exe	84
PID 3568 set thread context of 1088	3568	svchost.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	derogates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3568	svchost.exe
3568	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4316	derogates.exe
3568	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4396	d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe
4396	d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe
4316	derogates.exe
4316	derogates.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4396	d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe
4396	d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe
4316	derogates.exe
4316	derogates.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4316	4396	d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe	83
PID 4396 wrote to memory of 4316	4396	d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe	83
PID 4396 wrote to memory of 4316	4396	d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe	83
PID 4316 wrote to memory of 3568	4316	derogates.exe	84
PID 4316 wrote to memory of 3568	4316	derogates.exe	84
PID 4316 wrote to memory of 3568	4316	derogates.exe	84
PID 4316 wrote to memory of 3568	4316	derogates.exe	84
PID 3568 wrote to memory of 1088	3568	svchost.exe	85
PID 3568 wrote to memory of 1088	3568	svchost.exe	85
PID 3568 wrote to memory of 1088	3568	svchost.exe	85
PID 3568 wrote to memory of 1088	3568	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe
"C:\Users\Admin\AppData\Local\Temp\d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\miaou\derogates.exe
  "C:\Users\Admin\AppData\Local\Temp\d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - \??\c:\program files (x86)\internet explorer\iexplore.exe
      "c:\program files (x86)\internet explorer\iexplore.exe"
      4⤵
      PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cerecloths

Filesize
483KB

MD5
1feec4959309f93b31ed96bb1c991a90

SHA1
65bed2ab9ebce344e29322980c4782ac2921c1d9

SHA256
b9e8c2ee4bec14965b15f8e28fce1ba98c3bbd412bcde16dce424d1698df3132

SHA512
722513d8cf35ce524576e870a4d6ad9ae59c14bb5aabcbfe17417a3543423b089a63fe867025bcae8427ba4d47bd4c0efe682a9317f1ac35ab768be9fcd80051

Download Submit
C:\Users\Admin\AppData\Local\miaou\derogates.exe

Filesize
1.3MB

MD5
5f38edf8c588efd365f6c82c92d5f0f6

SHA1
6f8ec411858b7410a22401f6c9d6a2a5c45aaa9b

SHA256
d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877

SHA512
7bc7886d3c81421d6d9cdc1cf4ee3af5fea572de578fbc8c42509129b37716de7552e3147a3ac84261c463fe79fb60511eff18d45c3bc3d411905c22389028ef

Download Submit
memory/1088-24-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/1088-29-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/1088-28-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/1088-26-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/3568-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3568-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3568-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3568-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3568-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4316-18-0x0000000000C40000-0x0000000001040000-memory.dmp

Filesize
4.0MB

Download
memory/4396-6-0x0000000000F00000-0x0000000001300000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing