remcos | e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
Size

1.7MB
MD5

44d2a54c0ed05d26da2f362d9f40828c
SHA1

591c6d2bf71d06e479e10b54009a10f8ec7139e6
SHA256

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d
SHA512

22b5ad365ba03fa902e713405b1eb6a711f3b25f1fd1049a0fce796abf579a13ab6e03899a5ea715e330b5182d9430112f3cc233f308abdb857640eb40c6de8b
SSDEEP

24576:ZD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPj8/j7J:Zp7E+QrFUBgq20

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

sbietrcl.exesbietrcl.exe

pid process

2716 sbietrcl.exe
2656 sbietrcl.exe
Loads dropped DLL 1 IoCs

Processes:

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe

pid process

1656 e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe

pid	process
2716	sbietrcl.exe
2656	sbietrcl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sbietrcl.exe

description pid process target process

PID 2716 set thread context of 2656 2716 sbietrcl.exe sbietrcl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2716 set thread context of 2656	2716	sbietrcl.exe	sbietrcl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exesbietrcl.exe

pid	process
1656	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
1656	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
1656	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
1656	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
1656	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
1656	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
2716	sbietrcl.exe
2716	sbietrcl.exe
2716	sbietrcl.exe
2716	sbietrcl.exe
2716	sbietrcl.exe
2716	sbietrcl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exesbietrcl.exe

description pid process

Token: SeDebugPrivilege 1656 e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
Token: SeDebugPrivilege 2716 sbietrcl.exe

description	pid	process
Token: SeDebugPrivilege	1656	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
Token: SeDebugPrivilege	2716	sbietrcl.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exesbietrcl.exe

description	pid	process	target process
PID 1656 wrote to memory of 2716	1656	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe	sbietrcl.exe
PID 1656 wrote to memory of 2716	1656	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe	sbietrcl.exe
PID 1656 wrote to memory of 2716	1656	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe	sbietrcl.exe
PID 1656 wrote to memory of 2716	1656	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe	sbietrcl.exe
PID 2716 wrote to memory of 2656	2716	sbietrcl.exe	sbietrcl.exe
PID 2716 wrote to memory of 2656	2716	sbietrcl.exe	sbietrcl.exe
PID 2716 wrote to memory of 2656	2716	sbietrcl.exe	sbietrcl.exe
PID 2716 wrote to memory of 2656	2716	sbietrcl.exe	sbietrcl.exe
PID 2716 wrote to memory of 2656	2716	sbietrcl.exe	sbietrcl.exe
PID 2716 wrote to memory of 2656	2716	sbietrcl.exe	sbietrcl.exe
PID 2716 wrote to memory of 2656	2716	sbietrcl.exe	sbietrcl.exe
PID 2716 wrote to memory of 2656	2716	sbietrcl.exe	sbietrcl.exe
PID 2716 wrote to memory of 2656	2716	sbietrcl.exe	sbietrcl.exe
PID 2716 wrote to memory of 2656	2716	sbietrcl.exe	sbietrcl.exe

C:\Users\Admin\AppData\Local\Temp\e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
"C:\Users\Admin\AppData\Local\Temp\e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
3⤵
- Executes dropped EXE
PID:2656

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3842fa8c18d1624d12c71c32d8c68232

SHA1
1e9f10f4df776d5b69b2c548404a089ac6b96839

SHA256
12b870331631fa6341411da5f4ea7c2d87797b659ee7a020af9f50cdfd721802

SHA512
fe1661d5cfaf714f1a769f9a44eb038e4116cde16c6ffa7816b578338c54dcdd041415630654cb490d3bf4a2ef829ec4cdd5f137e2987c41f339fa7800d06c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3708.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
Filesize
1.8MB

MD5
ae154d9ba76d4e349951941177a14761

SHA1
e3b58a5009313a2a51969153a1d25b7536bc18cf

SHA256
e740f019ab0551f3aa03d16b2fb60958bdbb43966198cab9b35e65831dc59cba

SHA512
a7d9bb03b6815e3b1ea81bef27f14cb89e10f235c9ae94008069de0165997d03679bdea570bf490e17cabbfac5263f6acbad36beea4e683847bb063fe5f490b8

Download Submit
memory/1656-30-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-12-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-0-0x0000000074761000-0x0000000074762000-memory.dmp

Filesize
4KB

Download
memory/1656-11-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-1-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-49-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2656-43-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2656-45-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2656-47-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2656-54-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2656-48-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2656-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-31-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-57-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-41-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-42-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-32-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads