remcos | a21158ed80e44fef2a41f3796204a8ae2ff23705e80e7a0e460b612276226853

General

Target

a21158ed80e44fef2a41f3796204a8ae2ff23705e80e7a0e460b612276226853.exe
Size

972KB
MD5

72bf4beb82aad6c5b74dac433ba58cbd
SHA1

c04f007881f757a7a2ffdc94f5763b61042173b7
SHA256

a21158ed80e44fef2a41f3796204a8ae2ff23705e80e7a0e460b612276226853
SHA512

c4d55c05d255fbd973dbf08c06c38fcb90bf13c8e2a7c11151286fbfd24d26a78dc47e3aea7e6618f22bea63a18518caf534cfa2ad6a22a595c5e7861986fd76

Score

10^/10

remcos zzzzzzzzzzzzzzzzzzzzzzzlibertad rat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

zzzzzzzzzzzzZZZZZZZZZZZLIBERTAD

C2

dominoduck2094.duckdns.org:9596

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Chrome.exe
copy_folder
Chrome
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
system
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-LQVOP4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 6 IoCs

Processes:

cmd.exe

flow pid process

23 3852 cmd.exe
24 3852 cmd.exe
27 3852 cmd.exe
30 3852 cmd.exe
31 3852 cmd.exe
32 3852 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2744 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\autofmt.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

2744 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

2744 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

3852 cmd.exe

flow	pid	process
23	3852	cmd.exe
24	3852	cmd.exe
27	3852	cmd.exe
30	3852	cmd.exe
31	3852	cmd.exe
32	3852	cmd.exe

pid	process
2744	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\autofmt.job	cmd.exe

pid	process
2744	rundll32.exe

pid	process
2744	rundll32.exe

pid	process
3852	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a21158ed80e44fef2a41f3796204a8ae2ff23705e80e7a0e460b612276226853.exerundll32.exe

description	pid	process	target process
PID 2500 wrote to memory of 2744	2500	a21158ed80e44fef2a41f3796204a8ae2ff23705e80e7a0e460b612276226853.exe	rundll32.exe
PID 2500 wrote to memory of 2744	2500	a21158ed80e44fef2a41f3796204a8ae2ff23705e80e7a0e460b612276226853.exe	rundll32.exe
PID 2500 wrote to memory of 2744	2500	a21158ed80e44fef2a41f3796204a8ae2ff23705e80e7a0e460b612276226853.exe	rundll32.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3852	2744	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a21158ed80e44fef2a41f3796204a8ae2ff23705e80e7a0e460b612276226853.exe
"C:\Users\Admin\AppData\Local\Temp\a21158ed80e44fef2a41f3796204a8ae2ff23705e80e7a0e460b612276226853.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe SpanielPolymorph,Shorelines
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hypocycloid
MD5
4c661f7fe9aad8df24460b5974f83028

SHA1
640650ded87853f16c1ce7b4dc5bd1c0cc36ff43

SHA256
7b4044b8224c05913f0821a05fac81b09a5619f626f1f5d3afb03fbd718d1da8

SHA512
c033492295d27a98bd54da40b09dbe9230e1812e7c40e375c1001045c84acc9691b5b2729be33b05fe1bf86ebf15b42b1ec626ea08389fd5825ce86bd47ee975

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpanielPolymorph.DLL
MD5
28c74b92530fceb2c5871b64ba0c3ea0

SHA1
9e13cdde74e97f4b94501c6fa645529edbf05285

SHA256
87a3e59ca3449d55d33c2932f6fcc0fb48289bfde35652a6fdd890d4e5b59eac

SHA512
2688cb774f660ad114a0013e27a0da9ff4c2c89927eb661976c38d62e3eb43085b239904cf7ca7243a06b2690f52a36947ad21f1cf5c986cc088974bb0458de1

Download Submit
\Users\Admin\AppData\Local\Temp\SpanielPolymorph.dll
MD5
28c74b92530fceb2c5871b64ba0c3ea0

SHA1
9e13cdde74e97f4b94501c6fa645529edbf05285

SHA256
87a3e59ca3449d55d33c2932f6fcc0fb48289bfde35652a6fdd890d4e5b59eac

SHA512
2688cb774f660ad114a0013e27a0da9ff4c2c89927eb661976c38d62e3eb43085b239904cf7ca7243a06b2690f52a36947ad21f1cf5c986cc088974bb0458de1

Download Submit
memory/2744-121-0x0000000076000000-0x0000000076067000-memory.dmp

Filesize
412KB

Download
memory/2744-122-0x00007FFE7E8B0000-0x00007FFE7EA8B000-memory.dmp

Filesize
1.9MB

Download
memory/2744-123-0x0000000000480000-0x00000000005CA000-memory.dmp

Filesize
1.3MB

Download
memory/3852-124-0x00000000773B9000-0x00000000773BA000-memory.dmp

Filesize
4KB

Download
memory/3852-130-0x00007FFE7E8B0000-0x00007FFE7EA8B000-memory.dmp

Filesize
1.9MB

Download
memory/3852-132-0x0000000002FF0000-0x0000000002FF6000-memory.dmp

Filesize
24KB

Download
memory/3852-156-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing