remcos | 938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb

General

Target

938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe
Size

1004KB
MD5

7b7ba5ba43ad5c8a80c3314ae5544de9
SHA1

431292ede5d380f37e37d8b6a5e2cc139cf65626
SHA256

938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb
SHA512

cc51fbc4553b2461aa0355fc71093ded5c0b09c1e6266d9a762df2045943da3579b93928547efd3d4ba18352b2e70a10ce8f67d173944f16480953136e23a5b4
SSDEEP

12288:hp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRzwAY3AzCO:hpugRNJI1D39dlfGQrFUxwAeAzCO

Score

10^/10

remcos host discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Host

C2

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe

Executes dropped EXE 2 IoCs

pid	Process
5420	sbietrcl.exe
4560	sbietrcl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5420 set thread context of 4560	5420	sbietrcl.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbietrcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
228	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe
228	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe
228	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe
228	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe
228	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe
228	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe
5420	sbietrcl.exe
5420	sbietrcl.exe
5420	sbietrcl.exe
5420	sbietrcl.exe
5420	sbietrcl.exe
5420	sbietrcl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe
Token: SeDebugPrivilege	5420	sbietrcl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 5420	228	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe	94
PID 228 wrote to memory of 5420	228	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe	94
PID 228 wrote to memory of 5420	228	938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe	94
PID 5420 wrote to memory of 4560	5420	sbietrcl.exe	96
PID 5420 wrote to memory of 4560	5420	sbietrcl.exe	96
PID 5420 wrote to memory of 4560	5420	sbietrcl.exe	96
PID 5420 wrote to memory of 4560	5420	sbietrcl.exe	96
PID 5420 wrote to memory of 4560	5420	sbietrcl.exe	96
PID 5420 wrote to memory of 4560	5420	sbietrcl.exe	96
PID 5420 wrote to memory of 4560	5420	sbietrcl.exe	96
PID 5420 wrote to memory of 4560	5420	sbietrcl.exe	96
PID 5420 wrote to memory of 4560	5420	sbietrcl.exe	96

C:\Users\Admin\AppData\Local\Temp\938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe
"C:\Users\Admin\AppData\Local\Temp\938f7701486c58227b61647b0f34fdaab18fa981ac621d45b7101a14116501fb.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5420
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
    3⤵
    - Executes dropped EXE
    PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Filesize
1013KB

MD5
65ba7d298e36e60acb6abfc2f9946d35

SHA1
67d329cdc8a4642076f88a1b338edea487d6d50c

SHA256
de3f4f1771ef84aa3319f41186bfe141b45a567231a102308460fadb476276fc

SHA512
9c4a4df375fdefdc99539ca4fd4448ec8f731a6b81a5e67754abfd7913114706966ed312eb7a8317314e01c9a2193592bc046199b1bcf7d39bd0b348e840c421

Download Submit
memory/228-19-0x0000000074E72000-0x0000000074E73000-memory.dmp

Filesize
4KB

Download
memory/228-30-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/228-5-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/228-6-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/228-18-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/228-0-0x0000000074E72000-0x0000000074E73000-memory.dmp

Filesize
4KB

Download
memory/228-1-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/228-2-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/4560-36-0x0000000000800000-0x0000000000817000-memory.dmp

Filesize
92KB

Download
memory/5420-31-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/5420-32-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/5420-33-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/5420-34-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/5420-40-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads