remcos | 0058d7641d39317196b635c319eb61e845ba2f853005d71929308f86179ee99f

General

Target

Air Waybill no 6979374150.jpg.exe
Size

1.2MB
MD5

b0c5db5da6ddac16b5e0d10541b490c9
SHA1

4f5ce083d1cddf3accc4546aff8f1947398d25ab
SHA256

ba07a481a7e8a35c8b0f80de7ceb81307f0efd284656bece481aa4ac4e088af9
SHA512

2993c8d5dfd695771007048bef14e1a9ead4106d7a438a1a934b5af8439263448092aab6fda3f9b0976e4523a106ba52615adfda7afd8dea22d91a7f863081b7
SSDEEP

24576:eu6J33O0c+JY5UZ+XC0kGso6Fa2B5P6q0yg9nd7kRMdXWY:wu0c++OCvkGs9Fa2L6q+d6Y

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

103.83.87.190:5817

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-E1OC2H
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vevina.vbs	Vevina.exe

Executes dropped EXE 1 IoCs

pid	Process
5768	Vevina.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00070000000223cd-9.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5768 set thread context of 4712	5768	Vevina.exe	91

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Air Waybill no 6979374150.jpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vevina.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5768	Vevina.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4712	svchost.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4712	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 5768	3952	Air Waybill no 6979374150.jpg.exe	88
PID 3952 wrote to memory of 5768	3952	Air Waybill no 6979374150.jpg.exe	88
PID 3952 wrote to memory of 5768	3952	Air Waybill no 6979374150.jpg.exe	88
PID 5768 wrote to memory of 4712	5768	Vevina.exe	91
PID 5768 wrote to memory of 4712	5768	Vevina.exe	91
PID 5768 wrote to memory of 4712	5768	Vevina.exe	91
PID 5768 wrote to memory of 4712	5768	Vevina.exe	91

C:\Users\Admin\AppData\Local\Temp\Air Waybill no 6979374150.jpg.exe
"C:\Users\Admin\AppData\Local\Temp\Air Waybill no 6979374150.jpg.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\bothsided\Vevina.exe
  "C:\Users\Admin\AppData\Local\Temp\Air Waybill no 6979374150.jpg.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5768
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Air Waybill no 6979374150.jpg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\bothsided\Vevina.exe

Filesize
1.2MB

MD5
b0c5db5da6ddac16b5e0d10541b490c9

SHA1
4f5ce083d1cddf3accc4546aff8f1947398d25ab

SHA256
ba07a481a7e8a35c8b0f80de7ceb81307f0efd284656bece481aa4ac4e088af9

SHA512
2993c8d5dfd695771007048bef14e1a9ead4106d7a438a1a934b5af8439263448092aab6fda3f9b0976e4523a106ba52615adfda7afd8dea22d91a7f863081b7

Download Submit
memory/3952-6-0x0000000001510000-0x0000000001910000-memory.dmp

Filesize
4.0MB

Download
memory/4712-27-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-32-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-21-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-22-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-23-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-24-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-25-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-26-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-28-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-42-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-29-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-20-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-34-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-33-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-35-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-37-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-38-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-39-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-40-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4712-41-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5768-18-0x0000000000DE0000-0x00000000011E0000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing