remcos | 404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1

General

Target

404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1.exe
Size

885KB
MD5

42289e66471d92ca388420caadc311b2
SHA1

8d8de9045eccae3a98ec2fa89deca53b1e684c28
SHA256

404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1
SHA512

7d6615a92219ea44d76900d0d6e6d696e56d1d576883b19736345079c7454ab35c69b665eb6645d9c775eddc5db21e8b9cb0e1c1bec9ad68f4f5754457850704

Score

10^/10

remcos libertador rat

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

LIBERTADOR

C2

constructora823964823.duckdns.org:1212

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-SDXRC2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

3 980 cmd.exe
6 980 cmd.exe
7 980 cmd.exe
9 980 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1360 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\tzutil.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1360 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1360 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

980 cmd.exe

flow	pid	process
3	980	cmd.exe
6	980	cmd.exe
7	980	cmd.exe
9	980	cmd.exe

pid	process
1360	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\tzutil.job	cmd.exe

pid	process
1360	rundll32.exe

pid	process
1360	rundll32.exe

pid	process
980	cmd.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1.exerundll32.exe

description	pid	process	target process
PID 1556 wrote to memory of 1360	1556	404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1.exe	rundll32.exe
PID 1556 wrote to memory of 1360	1556	404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1.exe	rundll32.exe
PID 1556 wrote to memory of 1360	1556	404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1.exe	rundll32.exe
PID 1556 wrote to memory of 1360	1556	404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1.exe	rundll32.exe
PID 1556 wrote to memory of 1360	1556	404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1.exe	rundll32.exe
PID 1556 wrote to memory of 1360	1556	404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1.exe	rundll32.exe
PID 1556 wrote to memory of 1360	1556	404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1.exe	rundll32.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe
PID 1360 wrote to memory of 980	1360	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1.exe
"C:\Users\Admin\AppData\Local\Temp\404da44dac7c0c62ae76b38bbbd477efc7fb7ce3ae4329e01f31a1b5f7f8c2f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe Conservatory,Piggins
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bortsch
MD5
9bb3f5e435b793b600294d38e3aa3199

SHA1
3a55132e79d32b9d265b7763b731455988aaefb4

SHA256
8c5a7689ef4c10a78a6a18368c95df81a7a3570243fd8a1508cd625c2d2bd8f0

SHA512
4a63c0887b3ac958054980c394e8bb3bd69804bf97ccee809852c852a62ecb252081d4e5babff5ee1c92f4619e658cbbab75b00cdf2c62962eba67190c6c0dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Conservatory.DLL
MD5
255c2887e6b5f9756a9a473952e0807a

SHA1
b13718feb8e932e6a59d76a9984fa043d6f7826b

SHA256
0a5e2d346b9e7296275bf79fbda56cfc21a8af540b836dba04df1b6270bfe2c3

SHA512
e45ee410d61639ea098c9d8f831126d62cb67144834e6da6bab5c929cc8fe7a92493ef8a0c83c73b19942540318598987214c6b3377d6959425a91d269527823

Download Submit
\Users\Admin\AppData\Local\Temp\Conservatory.dll
MD5
255c2887e6b5f9756a9a473952e0807a

SHA1
b13718feb8e932e6a59d76a9984fa043d6f7826b

SHA256
0a5e2d346b9e7296275bf79fbda56cfc21a8af540b836dba04df1b6270bfe2c3

SHA512
e45ee410d61639ea098c9d8f831126d62cb67144834e6da6bab5c929cc8fe7a92493ef8a0c83c73b19942540318598987214c6b3377d6959425a91d269527823

Download Submit
memory/980-64-0x0000000076D50000-0x0000000076EF9000-memory.dmp

Filesize
1.7MB

Download
memory/980-68-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/980-70-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1360-60-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/1360-61-0x0000000076980000-0x00000000769B5000-memory.dmp

Filesize
212KB

Download
memory/1360-62-0x0000000076D50000-0x0000000076EF9000-memory.dmp

Filesize
1.7MB

Download
memory/1556-55-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing