remcos | 897a2a6c905eb684d234ef755f57ef51d44a9247b72b491f14f7b77ca765fc51

General

Target

Paymanet_Slip_pdf.exe
Size

1.3MB
MD5

30f517518e95d9ac519cccc8fc46bdaf
SHA1

2e0e9348b80ce7c2c9659249ce3495f69558fce7
SHA256

641931537565b357665bc8ed70c2449ed728c50e5ec3db3cfe17fc0257494d12
SHA512

9664b6f4f0feebb6eb3a54ff77c4b733ac032b92b26b3674456a9e8f1bed1cd37132e3e9310964a2bd6809bfd671afca0504d9976ab393de73e75fb374f9fdfb
SSDEEP

24576:vaHUIy+zim0CY8iMo6btLl1IiyolkXov6Qnxo3LVJFbt6fyOYMw76iHrrU:vaHUIy+g8iMJtl1aYvTnxoz7eoMw76d

Score

10^/10

remcos feb 13 discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

FEB 13

C2

oktoviyanto.ddns.net:9373

103.186.117.61:9373

benhenry2234.zapto.org:9373

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MK1WZA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2580	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 2576	2756	Paymanet_Slip_pdf.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paymanet_Slip_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paymanet_Slip_pdf.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2756	Paymanet_Slip_pdf.exe
2756	Paymanet_Slip_pdf.exe
2580	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	Paymanet_Slip_pdf.exe
Token: SeDebugPrivilege	2580	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	Paymanet_Slip_pdf.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2580	2756	Paymanet_Slip_pdf.exe	30
PID 2756 wrote to memory of 2580	2756	Paymanet_Slip_pdf.exe	30
PID 2756 wrote to memory of 2580	2756	Paymanet_Slip_pdf.exe	30
PID 2756 wrote to memory of 2580	2756	Paymanet_Slip_pdf.exe	30
PID 2756 wrote to memory of 2692	2756	Paymanet_Slip_pdf.exe	31
PID 2756 wrote to memory of 2692	2756	Paymanet_Slip_pdf.exe	31
PID 2756 wrote to memory of 2692	2756	Paymanet_Slip_pdf.exe	31
PID 2756 wrote to memory of 2692	2756	Paymanet_Slip_pdf.exe	31
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34
PID 2756 wrote to memory of 2576	2756	Paymanet_Slip_pdf.exe	34

C:\Users\Admin\AppData\Local\Temp\Paymanet_Slip_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Paymanet_Slip_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yXboODbukpz.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yXboODbukpz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8150.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\Paymanet_Slip_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Paymanet_Slip_pdf.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
ac371bd401170d2602e1d73296b89a6f

SHA1
05318deff9cbc02621fbd16d5a6b020f531129e3

SHA256
a1d40a9160af9841c2fdf386cfd5831ea8cde0d7b2c3ea91d7a9e0a821c05e4f

SHA512
159cedb9da75a82b9c6966485b6b81cdafeb256315679082aea28592b58bfaf561557a0fb0951c0ec1af899303a7d985a4a6e95f130f7ce3247d8dae9ad40c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8150.tmp

Filesize
1KB

MD5
9d3bf6c9473546ddc76ed9e311c38de6

SHA1
7d1a6cfa24030add01b2d91d5635a396e9c9efa6

SHA256
abb9448d5cfe3a90b773b0224328bee74a7936817a1c5b48fe9cd5fb7d56bec7

SHA512
9a0d047d3493d12a745e1e14f2d75b646dd84f40d9a0e280dc008d2704b55495b22033669bbbb207ded51b80afd96cba7bf47605a01982091860527e68f2a430

Download Submit
memory/2576-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-18-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-38-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2756-1-0x0000000000FF0000-0x000000000114E000-memory.dmp

Filesize
1.4MB

Download
memory/2756-3-0x0000000000960000-0x000000000097E000-memory.dmp

Filesize
120KB

Download
memory/2756-0-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/2756-37-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2756-2-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2756-6-0x000000000B220000-0x000000000B2E0000-memory.dmp

Filesize
768KB

Download
memory/2756-5-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2756-4-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads