remcos | c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751

General

Target

c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751.exe
Size

841KB
MD5

c79b14b01bb8070e1524265ef13f3360
SHA1

9f584f1afdff31c3ec994f7d1db5847deb6c0c80
SHA256

c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751
SHA512

923026710f79ace9286a453cfede1f79668bac26ff096c82fa1e215056fb807a7aabdf3a4075d769c0ae6f6a331ace2c6071082af2f8f12c1db0b619293fb4f2

Score

10^/10

remcos treintaycuatro rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

TREINTAYCUATRO

C2

treintaycuatrorem.duckdns.org:1010

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-F04CUL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 5 IoCs

Processes:

cmd.exe

flow pid process

3 1492 cmd.exe
6 1492 cmd.exe
7 1492 cmd.exe
9 1492 cmd.exe
10 1492 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

688 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\logoff.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

688 rundll32.exe
688 rundll32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exe

pid process

688 rundll32.exe
688 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

1492 cmd.exe

flow	pid	process
3	1492	cmd.exe
6	1492	cmd.exe
7	1492	cmd.exe
9	1492	cmd.exe
10	1492	cmd.exe

pid	process
688	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\logoff.job	cmd.exe

pid	process
688	rundll32.exe
688	rundll32.exe

pid	process
688	rundll32.exe
688	rundll32.exe

pid	process
1492	cmd.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751.exerundll32.exe

description	pid	process	target process
PID 752 wrote to memory of 688	752	c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751.exe	rundll32.exe
PID 752 wrote to memory of 688	752	c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751.exe	rundll32.exe
PID 752 wrote to memory of 688	752	c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751.exe	rundll32.exe
PID 752 wrote to memory of 688	752	c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751.exe	rundll32.exe
PID 752 wrote to memory of 688	752	c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751.exe	rundll32.exe
PID 752 wrote to memory of 688	752	c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751.exe	rundll32.exe
PID 752 wrote to memory of 688	752	c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751.exe	rundll32.exe
PID 688 wrote to memory of 1464	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1464	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1464	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1464	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1464	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1464	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1464	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1464	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1464	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1464	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe
PID 688 wrote to memory of 1492	688	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751.exe
"C:\Users\Admin\AppData\Local\Temp\c9e00e68342e0121a22ccaca3383494da737f5ffad22b0e3ae0b28eb0260c751.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe OximeLied,Hostage
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dissonancy
MD5
febedb0812e6b2b87356e4bb02aff6a4

SHA1
d68e79761681ef4b6147c52a4715053c71283293

SHA256
2af97034d465e26d6f994db2022661b60dab58613c4a294c9c46ea54700da16f

SHA512
82a617c6159c203f1aae0cb99f0f7a1f447dd709d543c77e5920041b906371b4fce356b46e5a0ff514699d254df24923ce4f7c557b171d5239855bf624b71e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\OximeLied.DLL
MD5
dc0118aff6d9ffaf70b1a48dfcd59f90

SHA1
8cbe302f4ac7499435b80ffa088cced09fc67759

SHA256
7cc30cdc0aaf891ce2434f92ecd10fa12677a755a41b9b9b3cd5d41501ed5fa8

SHA512
b41f22947b454a557524bbdd279b73452112f1ec7a479104350452a5d06f16fc2e6afb739374e6b953660aa5db414f67442c3c449dd9e834501e769b771eea7a

Download Submit
\Users\Admin\AppData\Local\Temp\OximeLied.dll
MD5
dc0118aff6d9ffaf70b1a48dfcd59f90

SHA1
8cbe302f4ac7499435b80ffa088cced09fc67759

SHA256
7cc30cdc0aaf891ce2434f92ecd10fa12677a755a41b9b9b3cd5d41501ed5fa8

SHA512
b41f22947b454a557524bbdd279b73452112f1ec7a479104350452a5d06f16fc2e6afb739374e6b953660aa5db414f67442c3c449dd9e834501e769b771eea7a

Download Submit
memory/688-59-0x00000000761B0000-0x00000000761E5000-memory.dmp

Filesize
212KB

Download
memory/688-61-0x00000000773F0000-0x0000000077599000-memory.dmp

Filesize
1.7MB

Download
memory/688-60-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/752-54-0x0000000075431000-0x0000000075433000-memory.dmp

Filesize
8KB

Download
memory/1492-64-0x00000000773F0000-0x0000000077599000-memory.dmp

Filesize
1.7MB

Download
memory/1492-68-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/1492-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing