remcos | 0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366

General

Target

0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe
Size

1.0MB
MD5

49b50b8de454c9bc22545d7a3d4f8129
SHA1

a4fd08d1823e3192673d706fc7ed204c6d90862b
SHA256

0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366
SHA512

704775c7ebb0fed8e56f50de7156eaec04c4aa51a220907327e5af20e8657d7f177a60befdca7a44975a2ae56b17499cd8c7175f78504d8ce2b267c20763d040

Score

10^/10

remcos veintitres rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

VEINTITRES

C2

veintitressisisi.duckdns.org:1011

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-BP758C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

22 3052 cmd.exe
25 3052 cmd.exe
26 3052 cmd.exe
28 3052 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

780 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\cliconfg.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

780 rundll32.exe
780 rundll32.exe
780 rundll32.exe
780 rundll32.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

rundll32.exe

pid process

780 rundll32.exe
780 rundll32.exe
780 rundll32.exe
780 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

3052 cmd.exe

flow	pid	process
22	3052	cmd.exe
25	3052	cmd.exe
26	3052	cmd.exe
28	3052	cmd.exe

pid	process
780	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\cliconfg.job	cmd.exe

pid	process
780	rundll32.exe
780	rundll32.exe
780	rundll32.exe
780	rundll32.exe

pid	process
780	rundll32.exe
780	rundll32.exe
780	rundll32.exe
780	rundll32.exe

pid	process
3052	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exerundll32.exe

description	pid	process	target process
PID 2808 wrote to memory of 780	2808	0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe	rundll32.exe
PID 2808 wrote to memory of 780	2808	0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe	rundll32.exe
PID 2808 wrote to memory of 780	2808	0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe	rundll32.exe
PID 780 wrote to memory of 1868	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1868	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1868	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1868	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1868	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1868	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1868	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1868	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1868	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1428	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1428	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1428	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1428	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1428	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1428	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1428	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1428	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 1428	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 784	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 784	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 784	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 784	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 784	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 784	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 784	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 784	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 784	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe
PID 780 wrote to memory of 3052	780	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe
"C:\Users\Admin\AppData\Local\Temp\0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe Transport,Pretor
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Transport.DLL
MD5
870f4c154b412997a3d564d3d1d9cd2e

SHA1
34faecd6d4336c422cc361264cab4e87a9f7f0fa

SHA256
dca83f20a61e619807fc6ac98d11fde2df618d1d9a0db2143fd295516c143448

SHA512
f756a342ce8684b3f2a7ce5a18da08fac3451a516490a58241ff4e4dcf1d358818eb4d96e539ee38e4f0711cdf36161f6a95c955d9b5e3ca858b4303ea7e14c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uprise
MD5
6a54dccf3dba42037818820856852a00

SHA1
dc0495d0a951305c5c03a2371bfd9053e42b8b5d

SHA256
204f8d3ef40b086b1f482674c1f6dd324c488b684a6b53b5d0d63a2811480406

SHA512
967ad475aaa60432e6b4bef9c2be7a85182e6f5205d11898e52fd6441b81abf421abbe1757afeea3c16ee4a2bfb2e6944a879a075a6cf03763d7064220b4695a

Download Submit
\Users\Admin\AppData\Local\Temp\Transport.dll
MD5
870f4c154b412997a3d564d3d1d9cd2e

SHA1
34faecd6d4336c422cc361264cab4e87a9f7f0fa

SHA256
dca83f20a61e619807fc6ac98d11fde2df618d1d9a0db2143fd295516c143448

SHA512
f756a342ce8684b3f2a7ce5a18da08fac3451a516490a58241ff4e4dcf1d358818eb4d96e539ee38e4f0711cdf36161f6a95c955d9b5e3ca858b4303ea7e14c0

Download Submit
memory/780-121-0x0000000003350000-0x0000000003352000-memory.dmp

Filesize
8KB

Download
memory/780-122-0x0000000077010000-0x0000000077077000-memory.dmp

Filesize
412KB

Download
memory/780-123-0x00007FFCF1320000-0x00007FFCF14FB000-memory.dmp

Filesize
1.9MB

Download
memory/3052-127-0x0000000077369000-0x000000007736A000-memory.dmp

Filesize
4KB

Download
memory/3052-133-0x00007FFCF1320000-0x00007FFCF14FB000-memory.dmp

Filesize
1.9MB

Download
memory/3052-143-0x0000000000980000-0x0000000000986000-memory.dmp

Filesize
24KB

Download
memory/3052-159-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing