remcos | e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d

Analysis

max time kernel
7s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
Size

1.7MB
MD5

44d2a54c0ed05d26da2f362d9f40828c
SHA1

591c6d2bf71d06e479e10b54009a10f8ec7139e6
SHA256

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d
SHA512

22b5ad365ba03fa902e713405b1eb6a711f3b25f1fd1049a0fce796abf579a13ab6e03899a5ea715e330b5182d9430112f3cc233f308abdb857640eb40c6de8b
SSDEEP

24576:ZD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPj8/j7J:Zp7E+QrFUBgq20

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe

pid	process
2132	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
2132	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
2132	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
2132	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
2132	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
2132	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe

description pid process

Token: SeDebugPrivilege 2132 e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe

description	pid	process
Token: SeDebugPrivilege	2132	e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe

C:\Users\Admin\AppData\Local\Temp\e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe
"C:\Users\Admin\AppData\Local\Temp\e1b343ba8a8e3d87436bf5f880a17f4bc43a1ac4acf2cbb90bf51207554cbb3d.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
2⤵
PID:1204

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
3⤵
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
1⤵
PID:3628

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
Filesize
1.8MB

MD5
824ba8f1ba19abf3970188dd524be0fa

SHA1
fcab3793b956fda581baffc86c2e44e8151405b6

SHA256
cd51554468ebaa2b07da9b463ff4dd8c9a3427c4a0c844dcc1add56516cac17e

SHA512
84c58063731fd6cdc0c7f66d841306d015c48586450fa91f3c0b3fd8e17776ff3bbc3abd6c3d6b0d3021735220e304fe9fc230b06926189174735f96543b2377

Download Submit
memory/1204-29-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/1204-44-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/1204-31-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/1204-32-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/1204-30-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/2084-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-37-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-36-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-33-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2132-28-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/2132-5-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/2132-6-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/2132-2-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/2132-0-0x0000000075402000-0x0000000075403000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download