remcos | e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe
Size

1.8MB
MD5

8feedebaa3a0e66b40787ad171c8a9a2
SHA1

59cf58564a0beb92fb86e9b1ffd1569580d5b63c
SHA256

e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13
SHA512

7e137e01656f5045e7d3ba4a12eebb37147491fc404de4710b477a75805cae57efe38037f9c1b74307305ccb971fcdf086360ca6d1d5b175db406b6c3853d9eb
SSDEEP

24576:XD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjYFEQB:Xp7E+QrFUBgq2G

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe

Executes dropped EXE 2 IoCs

Processes:

sbietrcl.exesbietrcl.exe

pid process

4124 sbietrcl.exe
1984 sbietrcl.exe

pid	process
4124	sbietrcl.exe
1984	sbietrcl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sbietrcl.exe

description pid process target process

PID 4124 set thread context of 1984 4124 sbietrcl.exe sbietrcl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4124 set thread context of 1984	4124	sbietrcl.exe	sbietrcl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exesbietrcl.exe

pid	process
4560	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe
4560	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe
4560	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe
4560	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe
4560	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe
4560	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe
4124	sbietrcl.exe
4124	sbietrcl.exe
4124	sbietrcl.exe
4124	sbietrcl.exe
4124	sbietrcl.exe
4124	sbietrcl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exesbietrcl.exe

description pid process

Token: SeDebugPrivilege 4560 e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe
Token: SeDebugPrivilege 4124 sbietrcl.exe

description	pid	process
Token: SeDebugPrivilege	4560	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe
Token: SeDebugPrivilege	4124	sbietrcl.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exesbietrcl.exe

description	pid	process	target process
PID 4560 wrote to memory of 4124	4560	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe	sbietrcl.exe
PID 4560 wrote to memory of 4124	4560	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe	sbietrcl.exe
PID 4560 wrote to memory of 4124	4560	e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe	sbietrcl.exe
PID 4124 wrote to memory of 1984	4124	sbietrcl.exe	sbietrcl.exe
PID 4124 wrote to memory of 1984	4124	sbietrcl.exe	sbietrcl.exe
PID 4124 wrote to memory of 1984	4124	sbietrcl.exe	sbietrcl.exe
PID 4124 wrote to memory of 1984	4124	sbietrcl.exe	sbietrcl.exe
PID 4124 wrote to memory of 1984	4124	sbietrcl.exe	sbietrcl.exe
PID 4124 wrote to memory of 1984	4124	sbietrcl.exe	sbietrcl.exe
PID 4124 wrote to memory of 1984	4124	sbietrcl.exe	sbietrcl.exe
PID 4124 wrote to memory of 1984	4124	sbietrcl.exe	sbietrcl.exe
PID 4124 wrote to memory of 1984	4124	sbietrcl.exe	sbietrcl.exe

C:\Users\Admin\AppData\Local\Temp\e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe
"C:\Users\Admin\AppData\Local\Temp\e577d8d262b59c0ae162505b5a4a7af49879e51f7e22b9584042516184da4c13.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
3⤵
- Executes dropped EXE
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
Filesize
1.8MB

MD5
3de87699e6879dcc862bef1b62f9b96e

SHA1
0f670c6b80e4458a0e63fa53fbaba15b0edd52ff

SHA256
56ad6c855b78331d37f0623bc83c26c14f2d6e25f48d0bf781b08af766229513

SHA512
08cd679dafba8321eee87de470e9acd004d2c64bbafa7a3cb19987f7f31c36db8c0962a11deb22307a74e337efd2f01e376047e870739270dafb72711dd9b39e

Download Submit
memory/1984-32-0x0000000000580000-0x0000000000597000-memory.dmp

Filesize
92KB

Download
memory/4124-27-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4124-36-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4124-30-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4124-29-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4124-28-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4560-3-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4560-26-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4560-4-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4560-0-0x0000000074D02000-0x0000000074D03000-memory.dmp

Filesize
4KB

Download
memory/4560-2-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4560-1-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download