remcos | 6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192

General

Target

6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe
Size

1.1MB
MD5

a72b4bcb182f1051674b27e3c84e550f
SHA1

938d4163a9a9485b8310866b9095a7e0ac6f0362
SHA256

6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192
SHA512

8820e7c7702894de6996455a48f49675f3699cc4002e98cbdf7a1c610db1decaa5c2156e30d9a87c5cbb248d904201acbd30d09072fadfd08b4568db8855f313
SSDEEP

24576:eaTgKwZ14X27uUL3VM0kd+rkhfMsjgkAj2JE06J5N0Fi:LTgdZOcuUL3xAx/8b2S7Z0c

Score

10^/10

remcos chinemerem discovery rat

Malware Config

Extracted

Family

remcos

Version

2.2.2 Pro

Botnet

chinemerem

C2

remcoss.onmypc.org:3765

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
r-8ET8H0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	AboutSettingsHandlers.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	AboutSettingsHandlers.exe

Executes dropped EXE 4 IoCs

pid	Process
5240	AboutSettingsHandlers.exe
1372	AboutSettingsHandlers.exe
6116	AboutSettingsHandlers.exe
5664	AboutSettingsHandlers.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2576-16-0x0000000000410000-0x0000000000599000-memory.dmp	autoit_exe
behavioral2/memory/2576-21-0x0000000000410000-0x0000000000599000-memory.dmp	autoit_exe
behavioral2/memory/5240-41-0x00000000005E0000-0x0000000000769000-memory.dmp	autoit_exe
behavioral2/memory/5240-43-0x00000000005E0000-0x0000000000769000-memory.dmp	autoit_exe
behavioral2/memory/5240-44-0x00000000005E0000-0x0000000000769000-memory.dmp	autoit_exe
behavioral2/memory/6116-60-0x00000000005E0000-0x0000000000769000-memory.dmp	autoit_exe
behavioral2/memory/6116-61-0x00000000005E0000-0x0000000000769000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 4328	2576	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe	91
PID 5240 set thread context of 1372	5240	AboutSettingsHandlers.exe	108
PID 6116 set thread context of 5664	6116	AboutSettingsHandlers.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AboutSettingsHandlers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AboutSettingsHandlers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4184	schtasks.exe
4388	schtasks.exe
4788	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4328	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 4328	2576	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe	91
PID 2576 wrote to memory of 4328	2576	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe	91
PID 2576 wrote to memory of 4328	2576	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe	91
PID 2576 wrote to memory of 4328	2576	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe	91
PID 2576 wrote to memory of 4328	2576	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe	91
PID 2576 wrote to memory of 4788	2576	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe	97
PID 2576 wrote to memory of 4788	2576	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe	97
PID 2576 wrote to memory of 4788	2576	6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe	97
PID 5240 wrote to memory of 1372	5240	AboutSettingsHandlers.exe	108
PID 5240 wrote to memory of 1372	5240	AboutSettingsHandlers.exe	108
PID 5240 wrote to memory of 1372	5240	AboutSettingsHandlers.exe	108
PID 5240 wrote to memory of 1372	5240	AboutSettingsHandlers.exe	108
PID 5240 wrote to memory of 1372	5240	AboutSettingsHandlers.exe	108
PID 5240 wrote to memory of 4184	5240	AboutSettingsHandlers.exe	110
PID 5240 wrote to memory of 4184	5240	AboutSettingsHandlers.exe	110
PID 5240 wrote to memory of 4184	5240	AboutSettingsHandlers.exe	110
PID 6116 wrote to memory of 5664	6116	AboutSettingsHandlers.exe	113
PID 6116 wrote to memory of 5664	6116	AboutSettingsHandlers.exe	113
PID 6116 wrote to memory of 5664	6116	AboutSettingsHandlers.exe	113
PID 6116 wrote to memory of 5664	6116	AboutSettingsHandlers.exe	113
PID 6116 wrote to memory of 5664	6116	AboutSettingsHandlers.exe	113
PID 6116 wrote to memory of 4388	6116	AboutSettingsHandlers.exe	114
PID 6116 wrote to memory of 4388	6116	AboutSettingsHandlers.exe	114
PID 6116 wrote to memory of 4388	6116	AboutSettingsHandlers.exe	114

C:\Users\Admin\AppData\Local\Temp\6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe
"C:\Users\Admin\AppData\Local\Temp\6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe
  "C:\Users\Admin\AppData\Local\Temp\6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4328
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemSettingsAdminFlows /tr "C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4788

C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe
C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5240
- C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe
  "C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe"
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemSettingsAdminFlows /tr "C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4184

C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe
C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6116
- C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe
  "C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe"
  2⤵
  - Executes dropped EXE
  PID:5664
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemSettingsAdminFlows /tr "C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe

Filesize
1.1MB

MD5
b003adf7a3c47ed500e8a8da12da37bd

SHA1
915be576e68a31cca117bdab3d7b68e69c716faa

SHA256
0ac6f83530e8f854ebb911371b080cd61dde2f74509a6acd6087081b2cfec6f6

SHA512
9d3e80bee30c4bd6e238ef8de0ea3de74f2e7d14e69f0d6ca0aeb940ec54db2a396ee7897f0540c26a70365cc0d4b2f8e4115b0b25fe4934fcc93ff5f160f084

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
79B

MD5
48a1c731be778b03f7c2caa90dbdb28a

SHA1
cb5cb91f50974fb1bc01293e3ec4bf986f8fd366

SHA256
a6562a3675337b95f2cbf44fe8f935b9bacc6c93a52ef3e6e450cfd47498f592

SHA512
f855fafbfe4094ea803f244ad8aaa03b4bd50d83f5c4d2ff60671a047f74f77fc3b11ca5d66e6fce53c98feb6331d624cbc8d4f91b7450a7437307856856defd

Download Submit
memory/1372-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1372-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2576-1-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2576-2-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/2576-0-0x0000000000410000-0x0000000000599000-memory.dmp

Filesize
1.5MB

Download
memory/2576-15-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2576-16-0x0000000000410000-0x0000000000599000-memory.dmp

Filesize
1.5MB

Download
memory/2576-21-0x0000000000410000-0x0000000000599000-memory.dmp

Filesize
1.5MB

Download
memory/4328-10-0x0000000000C60000-0x0000000000C80000-memory.dmp

Filesize
128KB

Download
memory/4328-4-0x0000000000C60000-0x0000000000C80000-memory.dmp

Filesize
128KB

Download
memory/4328-11-0x0000000000C60000-0x0000000000C80000-memory.dmp

Filesize
128KB

Download
memory/4328-14-0x0000000000C60000-0x0000000000C80000-memory.dmp

Filesize
128KB

Download
memory/5240-27-0x00000000005E0000-0x0000000000769000-memory.dmp

Filesize
1.5MB

Download
memory/5240-29-0x0000000001490000-0x0000000001493000-memory.dmp

Filesize
12KB

Download
memory/5240-40-0x0000000001490000-0x0000000001493000-memory.dmp

Filesize
12KB

Download
memory/5240-41-0x00000000005E0000-0x0000000000769000-memory.dmp

Filesize
1.5MB

Download
memory/5240-43-0x00000000005E0000-0x0000000000769000-memory.dmp

Filesize
1.5MB

Download
memory/5240-44-0x00000000005E0000-0x0000000000769000-memory.dmp

Filesize
1.5MB

Download
memory/6116-60-0x00000000005E0000-0x0000000000769000-memory.dmp

Filesize
1.5MB

Download
memory/6116-61-0x00000000005E0000-0x0000000000769000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads