remcos | 79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c

General

Target

79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
Size

372KB
MD5

11710b925ff1d5ecf510f0b18edcf213
SHA1

73e543fe16aa27095b711e8b6fce0b2647ec83f9
SHA256

79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c
SHA512

116483b771849049db5879e074365c0680f4377a0a8802a27ac762b616e8d9d8c6127aaafe2fe0758e14ce4f9175a85c3f2b0febcc23f22a5bceffd3833da802
SSDEEP

6144:tLdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiyq:tBqQx+H2i+8LBNbdypazCXY8

Score

10^/10

remcos tino discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

TINo

C2

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-5S9O07
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 2 IoCs

pid	Process
2076	hab.exe
852	hab.exe

Loads dropped DLL 3 IoCs

pid	Process
2080	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2080	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2076	hab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 2080	2868	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe	28
PID 2076 set thread context of 852	2076	hab.exe	30

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2868	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2868	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2080	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2080	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2076	hab.exe
2076	hab.exe
852	hab.exe
852	hab.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2868	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2868	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2080	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2080	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2076	hab.exe
2076	hab.exe
852	hab.exe
852	hab.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2868	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2080	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
2076	hab.exe
852	hab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2080	2868	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe	28
PID 2868 wrote to memory of 2080	2868	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe	28
PID 2868 wrote to memory of 2080	2868	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe	28
PID 2868 wrote to memory of 2080	2868	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe	28
PID 2080 wrote to memory of 2076	2080	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe	29
PID 2080 wrote to memory of 2076	2080	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe	29
PID 2080 wrote to memory of 2076	2080	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe	29
PID 2080 wrote to memory of 2076	2080	79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe	29
PID 2076 wrote to memory of 852	2076	hab.exe	30
PID 2076 wrote to memory of 852	2076	hab.exe	30
PID 2076 wrote to memory of 852	2076	hab.exe	30
PID 2076 wrote to memory of 852	2076	hab.exe	30

C:\Users\Admin\AppData\Local\Temp\79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
"C:\Users\Admin\AppData\Local\Temp\79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe
  "C:\Users\Admin\AppData\Local\Temp\79fdf0e96e03cce9d7c56e3316dd7b8d5722f3d371f7120598f922039ae59b2c.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
64030da8412922776f51f820b2cd9d8f

SHA1
cf45e7ad5961939c17da1371e473d5f72e62e53b

SHA256
e7d2ba76eb656b56a26b4cd17caaf3e2c583a4b885139af475906d2e9e853e0a

SHA512
0b60fddb76021bfb21e3fd566a72f8fc4b0555d79f4ca0367572c56cfaa4874845d55359efdf65757143758cbeb36502792a232bb9b689e494220589d40e0ed4

Download Submit
memory/852-36-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/852-34-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-14-0x0000000077960000-0x0000000077B09000-memory.dmp

Filesize
1.7MB

Download
memory/2868-2-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/2868-4-0x0000000077961000-0x0000000077A62000-memory.dmp

Filesize
1.0MB

Download
memory/2868-5-0x0000000077960000-0x0000000077B09000-memory.dmp

Filesize
1.7MB

Download
memory/2868-13-0x0000000077B50000-0x0000000077C26000-memory.dmp

Filesize
856KB

Download
memory/2868-12-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads