remcos | 365695a8882615e0e1f85b8477bb82212783b1ef3672f67a8ca92bc252ec11ed

General

Target

365695a8882615e0e1f85b8477bb82212783b1ef3672f67a8ca92bc252ec11ed.exe
Size

1.9MB
MD5

9c14de2917293f81b23b0cde00ddc624
SHA1

0baa9c81a415a4d4d72305f71490ca32816c63a1
SHA256

365695a8882615e0e1f85b8477bb82212783b1ef3672f67a8ca92bc252ec11ed
SHA512

c4145d85bbe7b5414009ebfe2a04242d872623c5133f4e5da9fe8c27b0742349e51d80434ed1abceda4ed21776d37437fc39d74c67abd5daf4f546e2c98e29cb
SSDEEP

49152:kDjlabwz9E7lIyIp6GVn+8OzCHGV4wUhCDOs:0qw8lIyIpd+8wlUrs

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.42.12.75:2406

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
010325
keylog_path
%AppData%
mouse_option
false
mutex
010325-YWFFXL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 2 IoCs

pid	Process
2840	palemoon.exe
2624	palemoon.exe

Loads dropped DLL 10 IoCs

pid	Process
2840	palemoon.exe
2840	palemoon.exe
2840	palemoon.exe
2840	palemoon.exe
2624	palemoon.exe
2624	palemoon.exe
2624	palemoon.exe
1588	cmd.exe
1588	cmd.exe
2628	Iu_alt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 1588	2624	palemoon.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	palemoon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	palemoon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iu_alt.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2840	palemoon.exe
2624	palemoon.exe
2624	palemoon.exe
1588	cmd.exe
1588	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2624	palemoon.exe
1588	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2628	Iu_alt.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2840	2260	365695a8882615e0e1f85b8477bb82212783b1ef3672f67a8ca92bc252ec11ed.exe	31
PID 2260 wrote to memory of 2840	2260	365695a8882615e0e1f85b8477bb82212783b1ef3672f67a8ca92bc252ec11ed.exe	31
PID 2260 wrote to memory of 2840	2260	365695a8882615e0e1f85b8477bb82212783b1ef3672f67a8ca92bc252ec11ed.exe	31
PID 2260 wrote to memory of 2840	2260	365695a8882615e0e1f85b8477bb82212783b1ef3672f67a8ca92bc252ec11ed.exe	31
PID 2840 wrote to memory of 2624	2840	palemoon.exe	32
PID 2840 wrote to memory of 2624	2840	palemoon.exe	32
PID 2840 wrote to memory of 2624	2840	palemoon.exe	32
PID 2840 wrote to memory of 2624	2840	palemoon.exe	32
PID 2624 wrote to memory of 1588	2624	palemoon.exe	33
PID 2624 wrote to memory of 1588	2624	palemoon.exe	33
PID 2624 wrote to memory of 1588	2624	palemoon.exe	33
PID 2624 wrote to memory of 1588	2624	palemoon.exe	33
PID 2624 wrote to memory of 1588	2624	palemoon.exe	33
PID 1588 wrote to memory of 2628	1588	cmd.exe	35
PID 1588 wrote to memory of 2628	1588	cmd.exe	35
PID 1588 wrote to memory of 2628	1588	cmd.exe	35
PID 1588 wrote to memory of 2628	1588	cmd.exe	35
PID 1588 wrote to memory of 2628	1588	cmd.exe	35
PID 1588 wrote to memory of 2628	1588	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\365695a8882615e0e1f85b8477bb82212783b1ef3672f67a8ca92bc252ec11ed.exe
"C:\Users\Admin\AppData\Local\Temp\365695a8882615e0e1f85b8477bb82212783b1ef3672f67a8ca92bc252ec11ed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\palemoon.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\palemoon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Roaming\YGH_local_v3\palemoon.exe
    C:\Users\Admin\AppData\Roaming\YGH_local_v3\palemoon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Users\Admin\AppData\Local\Temp\Iu_alt.exe
        
        C:\Users\Admin\AppData\Local\Temp\Iu_alt.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll

Filesize
427KB

MD5
ff877a5dffd764197250bd4ba28496b1

SHA1
187b8e183fc3331dd4ba139333886ad1fbf333a7

SHA256
83f935454ae8e450b6f042509ecf28cceff95edb2495c63a782b9d45c2eaf1c0

SHA512
b9245353f8a8bce6f443345daf50e135aa9d84bcce4dc5fd9279216b99bc6a1fa409292e110132ad815f303f36006610d6907e9fc778e94977beb2332481d03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bugaboo.csv

Filesize
51KB

MD5
e7c55fe5699bc12b05b282b124004af6

SHA1
8129400217b856e5d0384bb5a55d323a1739bc18

SHA256
fa3ee614bf7a6f2b7ce7ed031592f1b35e0a64fec38bd5980b49f130f6573843

SHA512
13b35f0139fccb84de8616a6d905ef96b54c5567cd17666e1c32405c7d22cd8ba0b293feca018e987fdb368bb77ec2547f913a53cf30f2a39722c9419f1c0b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mozglue.dll

Filesize
184KB

MD5
0675804214addd18dd5e8dfadcda6e81

SHA1
2c998bbe2f7e2ef8163237eff3e0838ecadf69e5

SHA256
734093544d7cec4d6e8c3e9bb4870d5e2b4ff0782cb079bb71e8a9ae9b373c18

SHA512
2472d0deb97bbbcc0642784ce5f2050e57fd94ef9150e79b3c098ed39ae1ef6911fad092e876cfd5a7b73604299b7c5ac89b145e33bc024ccf54c044161d6466

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\palemoon.exe

Filesize
275KB

MD5
b2d4b1d83945b5787d49a86c4f394e0c

SHA1
334a5c434e5d5d0649f8224e449ca9aaf9ba6816

SHA256
038d7b257b98421ad371189cf51d67f32ddad2de687c443a59ea74e4027bbf04

SHA512
4e92c367991a30d81a718ef26e8e61d24a84d2b54b5d9c6555f319b186ed5bc29d03fb10929bdae4d37c4fe92b3c0be63ee1ed4b287df74af7644e65053222d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\parastichy.raw

Filesize
1.1MB

MD5
2a2c6b76e22cedd030f8b900a87989df

SHA1
c5b785874fd5648de199cce7b678ed400d612e9e

SHA256
5cc242ecbda1996179449fc89c228f32bc8e41a7e9d4de0afb443c79e00b9b35

SHA512
ee134ec1c78ef168027dbc4afc3e98b8976bc77d16727629f58954adf5e6e5cbbd33f73e6710a3ab5959f7e3c19197dbce2db6581da6240a6d06e0fcfc12891a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e38330fd

Filesize
1.6MB

MD5
99c0bcbfa183e33e040360ea9d146ed5

SHA1
ae2dee514720b567bfe133bf51ec078fef48f0b2

SHA256
ecbedad22324a7efe08dbffa87ba3262985a5017cddb253596f7c39c1d653223

SHA512
e5876ea7cd56c5cd73cbaa381b88ac6bc0491738f57c2357c1409c59750753d43bc2672557fba09a4926c2d06f1b540692bfa7ed1c2d22f45d2b90e6cfb38214

Download Submit
\Users\Admin\AppData\Local\Temp\Iu_alt.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
memory/1588-78-0x0000000074560000-0x00000000746D4000-memory.dmp

Filesize
1.5MB

Download
memory/1588-67-0x0000000074560000-0x00000000746D4000-memory.dmp

Filesize
1.5MB

Download
memory/1588-56-0x0000000074560000-0x00000000746D4000-memory.dmp

Filesize
1.5MB

Download
memory/1588-59-0x0000000074560000-0x00000000746D4000-memory.dmp

Filesize
1.5MB

Download
memory/1588-58-0x00000000770C0000-0x0000000077269000-memory.dmp

Filesize
1.7MB

Download
memory/2624-51-0x00000000770C0000-0x0000000077269000-memory.dmp

Filesize
1.7MB

Download
memory/2624-54-0x0000000074560000-0x00000000746D4000-memory.dmp

Filesize
1.5MB

Download
memory/2624-52-0x0000000074573000-0x0000000074575000-memory.dmp

Filesize
8KB

Download
memory/2624-53-0x0000000074560000-0x00000000746D4000-memory.dmp

Filesize
1.5MB

Download
memory/2624-50-0x0000000074560000-0x00000000746D4000-memory.dmp

Filesize
1.5MB

Download
memory/2628-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-79-0x00000000770C0000-0x0000000077269000-memory.dmp

Filesize
1.7MB

Download
memory/2628-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-84-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2628-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2840-30-0x00000000770C0000-0x0000000077269000-memory.dmp

Filesize
1.7MB

Download
memory/2840-29-0x00000000745E0000-0x0000000074754000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing