remcos | b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2

General

Target

b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe
Size

968KB
MD5

27e81492a2fd7e0f93fdf0cfb319eca9
SHA1

d3a22ffbc3ab0384083cf158e2fce9cc28605280
SHA256

b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2
SHA512

2463cc4382234a87edc8d7cd2b5493dd541f5207dc9254864fa70d0afabc49555108e10c2205b4c0a45a74cf4c52cf685e842347392a015916f98e7cca503c04

Score

10^/10

remcos zzzzzzzzzzzzzzzzzzzzzzzznuevamente rat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

zzzzzzzzzzzzZZZZZZZZZZZZNUEVAMENTE

C2

dominoduck2095.duckdns.org:9597

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Chrome.exe
copy_folder
Chrome
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
system
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NUTDL6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

29 4636 cmd.exe
30 4636 cmd.exe
31 4636 cmd.exe
33 4636 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4504 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\rasautou.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

4504 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

4504 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

4636 cmd.exe

flow	pid	process
29	4636	cmd.exe
30	4636	cmd.exe
31	4636	cmd.exe
33	4636	cmd.exe

pid	process
4504	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\rasautou.job	cmd.exe

pid	process
4504	rundll32.exe

pid	process
4504	rundll32.exe

pid	process
4636	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exerundll32.exe

description	pid	process	target process
PID 3996 wrote to memory of 4504	3996	b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe	rundll32.exe
PID 3996 wrote to memory of 4504	3996	b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe	rundll32.exe
PID 3996 wrote to memory of 4504	3996	b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe	rundll32.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe
PID 4504 wrote to memory of 4636	4504	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe
"C:\Users\Admin\AppData\Local\Temp\b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe SkylabDewar,Hemlock
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SkylabDewar.DLL
MD5
3e6e2a7f230850309d450cf1cdfb5d04

SHA1
963e67d0921079fd79937ce954718f926cc81a9c

SHA256
9747d0196e1e19f32c53e1b7df0d64f2328e5fc492596a85ff3a931c55d748ef

SHA512
fae57f1c7390e95411d2445e88e1702376aee7710cd4fae0e62740388467a610340697a23a81d80b44e2979fca59c75ea8a5a8901b1e11e4491201a82868d4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taboret
MD5
467285dd701478d4e4b734676a23ad41

SHA1
964e17c9699b577e79bb180add2139713aa47a1e

SHA256
049ec8eb1a3161b4363babb6490d34f31175442c83cd98b0df16fac271cbbe25

SHA512
1b68548acd2513150d620a7c36a3ae7e9be883d93211cbb23234d2516cc4d4ccbff3900cef510422dcf2d3496ef9cacfbf95a9ee65127a5840ca8c5f2005acce

Download Submit
\Users\Admin\AppData\Local\Temp\SkylabDewar.dll
MD5
3e6e2a7f230850309d450cf1cdfb5d04

SHA1
963e67d0921079fd79937ce954718f926cc81a9c

SHA256
9747d0196e1e19f32c53e1b7df0d64f2328e5fc492596a85ff3a931c55d748ef

SHA512
fae57f1c7390e95411d2445e88e1702376aee7710cd4fae0e62740388467a610340697a23a81d80b44e2979fca59c75ea8a5a8901b1e11e4491201a82868d4a9

Download Submit
memory/4504-118-0x00000000755E0000-0x0000000075647000-memory.dmp

Filesize
412KB

Download
memory/4504-119-0x00007FFAD8280000-0x00007FFAD845B000-memory.dmp

Filesize
1.9MB

Download
memory/4504-120-0x0000000000540000-0x00000000005EE000-memory.dmp

Filesize
696KB

Download
memory/4636-121-0x0000000077E59000-0x0000000077E5A000-memory.dmp

Filesize
4KB

Download
memory/4636-127-0x00007FFAD8280000-0x00007FFAD845B000-memory.dmp

Filesize
1.9MB

Download
memory/4636-142-0x0000000000840000-0x0000000000846000-memory.dmp

Filesize
24KB

Download
memory/4636-153-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing