remcos | 63c6397f3431639ee54b68cf2837024862d699ccdc41cddf64058be91ae0b87e

General

Target

Edgeviewwebs.exe
Size

2.5MB
MD5

00c1daf7a4eb037fe33278fe676663ea
SHA1

d39aeaf8b76b6176109958653db7dbd64fa69882
SHA256

63c6397f3431639ee54b68cf2837024862d699ccdc41cddf64058be91ae0b87e
SHA512

5824bff18621563fb94bfef2742b922e5bb32d09a5b6b44415e67104dd59552b94e977b2ce3ea608728c721bd96fa256bf89f6b5892290a1346c8eee532391c1
SSDEEP

49152:cTuaAhwBhBtt49Y5t/RaSuCALkusLGZOC6c/EHXEAFJzQyMN/:cKaAh0y252SuC6kusCZjY3EAzzG/

Score

10^/10

remcos edgeweb discovery rat

Malware Config

Extracted

Family

remcos

Version

6.1.0 Light

Botnet

Edgeweb

C2

72.5.42.161:6666

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Edg-G6MPI6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 6 IoCs

flow	pid	Process
47	112	cmd.exe
48	112	cmd.exe
55	112	cmd.exe
59	112	cmd.exe
60	112	cmd.exe
61	112	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2488	Edgeviewwebs.exe
5124	TurboActivate.exe
5428	TurboActivate.exe

Loads dropped DLL 3 IoCs

pid	Process
2488	Edgeviewwebs.exe
5124	TurboActivate.exe
5428	TurboActivate.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5428 set thread context of 5780	5428	TurboActivate.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurboActivate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edgeviewwebs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edgeviewwebs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurboActivate.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5124	TurboActivate.exe
5428	TurboActivate.exe
5428	TurboActivate.exe
5428	TurboActivate.exe
5780	cmd.exe
5780	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5428	TurboActivate.exe
5780	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5836 wrote to memory of 2488	5836	Edgeviewwebs.exe	85
PID 5836 wrote to memory of 2488	5836	Edgeviewwebs.exe	85
PID 5836 wrote to memory of 2488	5836	Edgeviewwebs.exe	85
PID 2488 wrote to memory of 5124	2488	Edgeviewwebs.exe	87
PID 2488 wrote to memory of 5124	2488	Edgeviewwebs.exe	87
PID 2488 wrote to memory of 5124	2488	Edgeviewwebs.exe	87
PID 5124 wrote to memory of 5428	5124	TurboActivate.exe	89
PID 5124 wrote to memory of 5428	5124	TurboActivate.exe	89
PID 5124 wrote to memory of 5428	5124	TurboActivate.exe	89
PID 5428 wrote to memory of 5780	5428	TurboActivate.exe	90
PID 5428 wrote to memory of 5780	5428	TurboActivate.exe	90
PID 5428 wrote to memory of 5780	5428	TurboActivate.exe	90
PID 5428 wrote to memory of 5780	5428	TurboActivate.exe	90
PID 5780 wrote to memory of 112	5780	cmd.exe	100
PID 5780 wrote to memory of 112	5780	cmd.exe	100
PID 5780 wrote to memory of 112	5780	cmd.exe	100
PID 5780 wrote to memory of 112	5780	cmd.exe	100
PID 5780 wrote to memory of 112	5780	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\Edgeviewwebs.exe
"C:\Users\Admin\AppData\Local\Temp\Edgeviewwebs.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5836
- C:\Windows\TEMP\{D506477F-75C5-438E-8977-130310808B62}\.cr\Edgeviewwebs.exe
  "C:\Windows\TEMP\{D506477F-75C5-438E-8977-130310808B62}\.cr\Edgeviewwebs.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\Edgeviewwebs.exe" -burn.filehandle.attached=700 -burn.filehandle.self=624
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\TEMP\{52CB77CD-BA0F-4B02-9063-05BF913081C4}\.ba\TurboActivate.exe
    C:\Windows\TEMP\{52CB77CD-BA0F-4B02-9063-05BF913081C4}\.ba\TurboActivate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5124
  - - C:\Users\Admin\AppData\Roaming\CJRMake_test\TurboActivate.exe
      C:\Users\Admin\AppData\Roaming\CJRMake_test\TurboActivate.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:5428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:5780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ba360faf

Filesize
1.1MB

MD5
cfe198fa2f376bebd177c8b0991b8628

SHA1
a69af468360aaae5deef9950e6908a6fac18ac7e

SHA256
604cb0ce09c9842ec38fa31a26cf853f23be5f1d239ebb70264ceda24c00705c

SHA512
4a972f4a584a8e3bdf4181804b6c8541f62520fe9302c22038f43ce20851d1f371becc17f564a06330a431089029dfff332fc78d1d5d99d5c993f485122c43f2

Download Submit
C:\Windows\TEMP\{52CB77CD-BA0F-4B02-9063-05BF913081C4}\.ba\TurboActivate.dll

Filesize
1.1MB

MD5
6eb71453c1fa92a1da76de9900dabd2e

SHA1
621d709365de5162353314ff29ef94eebd44b022

SHA256
e20c675dffa04b43dd782d97066394a58b48f4c56f0656196240b1fa866d2876

SHA512
3bc5b8c125eba4e9f15c48127e945ec39e62dc7c95b53f9349e1d78669a83409a844d5f14d0b0d41512af20f474aa75b54615d862eb0faa0f11a0c429b85c2cc

Download Submit
C:\Windows\TEMP\{52CB77CD-BA0F-4B02-9063-05BF913081C4}\.ba\chlamydia.ai

Filesize
907KB

MD5
9d6d7d788162b2545aedd074d3ed4934

SHA1
18d0ebfae375635ae30e819ecf2bae2a258bfbc3

SHA256
a75af108cbdaad909b209bef6689ba3c5bbe1fb4cad84b957fdf759ad54b9601

SHA512
4b8dfe1ab018d500f5424284650356682eb2bca12126379b60616be7c9c65fc0ecef03c4b138d2976a72ba466476276e96be190dd893c826be42bbc8f8e02dc6

Download Submit
C:\Windows\Temp\{52CB77CD-BA0F-4B02-9063-05BF913081C4}\.ba\Decennary.dll

Filesize
626KB

MD5
77435ab4fc2663f5c0b010234bd48daa

SHA1
d772bf675e3db41ec83d49e5a92d2fa176da921e

SHA256
cdfa16d810a6616418b8332a46302ac220ff18fd3f0d5aa559447ef1ee752791

SHA512
d589621cddc629700025c7a5190feb2394c0db33b77aef122b8e666cac8fc5b02cf971adb43d712158fa1805b9a58f81aa0da99578dbe4c42dc73d0a2a9480b1

Download Submit
C:\Windows\Temp\{52CB77CD-BA0F-4B02-9063-05BF913081C4}\.ba\TurboActivate.exe

Filesize
286KB

MD5
d9c75a5749132d77ae709c5eae6fe9dd

SHA1
0142e7c95d4e5a691160d3330fdb626e196715a3

SHA256
5a4a4aeba559b86db6d95eacc289ad27f84749e35cb51587d26355bf7732548a

SHA512
56b4971ecd595f2198557204eeeaf05e465c31728e2df776202199e28668c42344a7e0f52b191604b45ea0ebaa4fe050b97c7243a5f809a42c5e322f74326975

Download Submit
C:\Windows\Temp\{52CB77CD-BA0F-4B02-9063-05BF913081C4}\.ba\dyskinesia.iso

Filesize
69KB

MD5
70517f819f81588a8e3ca18cddab71ab

SHA1
b3597b602ed1923c6c8f32cf45ca4aea29c970fb

SHA256
d83ca7bf0b198887864fe314561128bb1955105ebb75929a26cfecdac00758b0

SHA512
67cec4435a0aba475725df6b3145ba128bf444722aa4c142624dd15e110f9dd0d297d07db7b26b08ca815d92bef23c84eca5dda5838f217299ef87a5f86d59a6

Download Submit
C:\Windows\Temp\{D506477F-75C5-438E-8977-130310808B62}\.cr\Edgeviewwebs.exe

Filesize
2.4MB

MD5
cda7e99fccff66f8c74e095b8a68ce3c

SHA1
8f18edaaae0193ccee9b8fe0ad8187238ca199b9

SHA256
11c9aa66f47deedddb7c37bcd2e4eeab947336cd6084a4996511dca48f92a368

SHA512
f08bbe26b9266767424060881f92049a10d37f94edac809edde2af32f52d3581a1c07055d4e18cd8eef7699b7c4ad95f1c21b50ac43d0378d1be3d462ee12887

Download Submit
memory/112-54-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/112-56-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/112-55-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/112-51-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/112-57-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/112-53-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/112-52-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/112-45-0x00007FF92C2B0000-0x00007FF92C4A5000-memory.dmp

Filesize
2.0MB

Download
memory/112-46-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/112-47-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/112-48-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/112-49-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/112-50-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5124-19-0x0000000074630000-0x00000000747AB000-memory.dmp

Filesize
1.5MB

Download
memory/5124-20-0x00007FF92C2B0000-0x00007FF92C4A5000-memory.dmp

Filesize
2.0MB

Download
memory/5428-34-0x0000000074630000-0x00000000747AB000-memory.dmp

Filesize
1.5MB

Download
memory/5428-33-0x00007FF92C2B0000-0x00007FF92C4A5000-memory.dmp

Filesize
2.0MB

Download
memory/5428-32-0x0000000074630000-0x00000000747AB000-memory.dmp

Filesize
1.5MB

Download
memory/5780-40-0x0000000074630000-0x00000000747AB000-memory.dmp

Filesize
1.5MB

Download
memory/5780-37-0x00007FF92C2B0000-0x00007FF92C4A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing