remcos | 63c6397f3431639ee54b68cf2837024862d699ccdc41cddf64058be91ae0b87e

General

Target

Edgeviewwebs.exe
Size

2.5MB
MD5

00c1daf7a4eb037fe33278fe676663ea
SHA1

d39aeaf8b76b6176109958653db7dbd64fa69882
SHA256

63c6397f3431639ee54b68cf2837024862d699ccdc41cddf64058be91ae0b87e
SHA512

5824bff18621563fb94bfef2742b922e5bb32d09a5b6b44415e67104dd59552b94e977b2ce3ea608728c721bd96fa256bf89f6b5892290a1346c8eee532391c1
SSDEEP

49152:cTuaAhwBhBtt49Y5t/RaSuCALkusLGZOC6c/EHXEAFJzQyMN/:cKaAh0y252SuC6kusCZjY3EAzzG/

Score

10^/10

remcos edgeweb discovery rat

Malware Config

Extracted

Family

remcos

Version

6.1.0 Light

Botnet

Edgeweb

C2

72.5.42.161:6666

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Edg-G6MPI6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 6 IoCs

flow	pid	Process
2	2876	cmd.exe
5	2876	cmd.exe
6	2876	cmd.exe
7	2876	cmd.exe
8	2876	cmd.exe
9	2876	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2912	Edgeviewwebs.exe
2680	TurboActivate.exe
2880	TurboActivate.exe

Loads dropped DLL 7 IoCs

pid	Process
2180	Edgeviewwebs.exe
2912	Edgeviewwebs.exe
2912	Edgeviewwebs.exe
2680	TurboActivate.exe
2680	TurboActivate.exe
2880	TurboActivate.exe
2608	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2880 set thread context of 2608	2880	TurboActivate.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edgeviewwebs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edgeviewwebs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurboActivate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurboActivate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2680	TurboActivate.exe
2880	TurboActivate.exe
2880	TurboActivate.exe
2880	TurboActivate.exe
2608	cmd.exe
2608	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2880	TurboActivate.exe
2608	cmd.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2912	2180	Edgeviewwebs.exe	30
PID 2180 wrote to memory of 2912	2180	Edgeviewwebs.exe	30
PID 2180 wrote to memory of 2912	2180	Edgeviewwebs.exe	30
PID 2180 wrote to memory of 2912	2180	Edgeviewwebs.exe	30
PID 2912 wrote to memory of 2680	2912	Edgeviewwebs.exe	31
PID 2912 wrote to memory of 2680	2912	Edgeviewwebs.exe	31
PID 2912 wrote to memory of 2680	2912	Edgeviewwebs.exe	31
PID 2912 wrote to memory of 2680	2912	Edgeviewwebs.exe	31
PID 2680 wrote to memory of 2880	2680	TurboActivate.exe	32
PID 2680 wrote to memory of 2880	2680	TurboActivate.exe	32
PID 2680 wrote to memory of 2880	2680	TurboActivate.exe	32
PID 2680 wrote to memory of 2880	2680	TurboActivate.exe	32
PID 2880 wrote to memory of 2608	2880	TurboActivate.exe	33
PID 2880 wrote to memory of 2608	2880	TurboActivate.exe	33
PID 2880 wrote to memory of 2608	2880	TurboActivate.exe	33
PID 2880 wrote to memory of 2608	2880	TurboActivate.exe	33
PID 2880 wrote to memory of 2608	2880	TurboActivate.exe	33
PID 2608 wrote to memory of 2876	2608	cmd.exe	35
PID 2608 wrote to memory of 2876	2608	cmd.exe	35
PID 2608 wrote to memory of 2876	2608	cmd.exe	35
PID 2608 wrote to memory of 2876	2608	cmd.exe	35
PID 2608 wrote to memory of 2876	2608	cmd.exe	35
PID 2608 wrote to memory of 2876	2608	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\Edgeviewwebs.exe
"C:\Users\Admin\AppData\Local\Temp\Edgeviewwebs.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\TEMP\{94B674EB-A5BC-4211-87CD-928067F5D8B5}\.cr\Edgeviewwebs.exe
  "C:\Windows\TEMP\{94B674EB-A5BC-4211-87CD-928067F5D8B5}\.cr\Edgeviewwebs.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\Edgeviewwebs.exe" -burn.filehandle.attached=216 -burn.filehandle.self=212
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\TEMP\{2AC56C00-F4DF-41F9-97F3-E6A4DF1B7F5C}\.ba\TurboActivate.exe
    C:\Windows\TEMP\{2AC56C00-F4DF-41F9-97F3-E6A4DF1B7F5C}\.ba\TurboActivate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Roaming\CJRMake_test\TurboActivate.exe
      C:\Users\Admin\AppData\Roaming\CJRMake_test\TurboActivate.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\198481e0

Filesize
1.1MB

MD5
b08094e7050db9cf6b36bf20b7e83950

SHA1
92bc3713fdc70d4a3b45bcab218be275c6d8b5b3

SHA256
2c0597c7bce046e34c924a0b5946bfc4bd3b219899cb60d9f8960cc95e2cb61a

SHA512
d46cd20d7e298b1786325897a6cfe41b304e63bbec10b289d3c5cf787cb8b257270ed944f164e28d5861be456bf43bbc92336b4139c14e7318867dcb30095839

Download Submit
C:\Windows\TEMP\{2AC56C00-F4DF-41F9-97F3-E6A4DF1B7F5C}\.ba\TurboActivate.dll

Filesize
1.1MB

MD5
6eb71453c1fa92a1da76de9900dabd2e

SHA1
621d709365de5162353314ff29ef94eebd44b022

SHA256
e20c675dffa04b43dd782d97066394a58b48f4c56f0656196240b1fa866d2876

SHA512
3bc5b8c125eba4e9f15c48127e945ec39e62dc7c95b53f9349e1d78669a83409a844d5f14d0b0d41512af20f474aa75b54615d862eb0faa0f11a0c429b85c2cc

Download Submit
C:\Windows\TEMP\{2AC56C00-F4DF-41F9-97F3-E6A4DF1B7F5C}\.ba\chlamydia.ai

Filesize
907KB

MD5
9d6d7d788162b2545aedd074d3ed4934

SHA1
18d0ebfae375635ae30e819ecf2bae2a258bfbc3

SHA256
a75af108cbdaad909b209bef6689ba3c5bbe1fb4cad84b957fdf759ad54b9601

SHA512
4b8dfe1ab018d500f5424284650356682eb2bca12126379b60616be7c9c65fc0ecef03c4b138d2976a72ba466476276e96be190dd893c826be42bbc8f8e02dc6

Download Submit
C:\Windows\Temp\{2AC56C00-F4DF-41F9-97F3-E6A4DF1B7F5C}\.ba\dyskinesia.iso

Filesize
69KB

MD5
70517f819f81588a8e3ca18cddab71ab

SHA1
b3597b602ed1923c6c8f32cf45ca4aea29c970fb

SHA256
d83ca7bf0b198887864fe314561128bb1955105ebb75929a26cfecdac00758b0

SHA512
67cec4435a0aba475725df6b3145ba128bf444722aa4c142624dd15e110f9dd0d297d07db7b26b08ca815d92bef23c84eca5dda5838f217299ef87a5f86d59a6

Download Submit
\Windows\Temp\{2AC56C00-F4DF-41F9-97F3-E6A4DF1B7F5C}\.ba\Decennary.dll

Filesize
626KB

MD5
77435ab4fc2663f5c0b010234bd48daa

SHA1
d772bf675e3db41ec83d49e5a92d2fa176da921e

SHA256
cdfa16d810a6616418b8332a46302ac220ff18fd3f0d5aa559447ef1ee752791

SHA512
d589621cddc629700025c7a5190feb2394c0db33b77aef122b8e666cac8fc5b02cf971adb43d712158fa1805b9a58f81aa0da99578dbe4c42dc73d0a2a9480b1

Download Submit
\Windows\Temp\{2AC56C00-F4DF-41F9-97F3-E6A4DF1B7F5C}\.ba\TurboActivate.exe

Filesize
286KB

MD5
d9c75a5749132d77ae709c5eae6fe9dd

SHA1
0142e7c95d4e5a691160d3330fdb626e196715a3

SHA256
5a4a4aeba559b86db6d95eacc289ad27f84749e35cb51587d26355bf7732548a

SHA512
56b4971ecd595f2198557204eeeaf05e465c31728e2df776202199e28668c42344a7e0f52b191604b45ea0ebaa4fe050b97c7243a5f809a42c5e322f74326975

Download Submit
\Windows\Temp\{94B674EB-A5BC-4211-87CD-928067F5D8B5}\.cr\Edgeviewwebs.exe

Filesize
2.4MB

MD5
cda7e99fccff66f8c74e095b8a68ce3c

SHA1
8f18edaaae0193ccee9b8fe0ad8187238ca199b9

SHA256
11c9aa66f47deedddb7c37bcd2e4eeab947336cd6084a4996511dca48f92a368

SHA512
f08bbe26b9266767424060881f92049a10d37f94edac809edde2af32f52d3581a1c07055d4e18cd8eef7699b7c4ad95f1c21b50ac43d0378d1be3d462ee12887

Download Submit
memory/2608-90-0x0000000074190000-0x0000000074304000-memory.dmp

Filesize
1.5MB

Download
memory/2608-43-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/2680-23-0x0000000074240000-0x00000000743B4000-memory.dmp

Filesize
1.5MB

Download
memory/2680-24-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/2876-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2876-99-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-107-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-106-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2876-94-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/2876-96-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-97-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-98-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-105-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-100-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-101-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-102-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-103-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-104-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2880-40-0x0000000074190000-0x0000000074304000-memory.dmp

Filesize
1.5MB

Download
memory/2880-38-0x0000000074190000-0x0000000074304000-memory.dmp

Filesize
1.5MB

Download
memory/2880-39-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing