remcos | 35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5

General

Target

35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5.exe
Size

405KB
MD5

607aacf94113248d45f31e2baba4136c
SHA1

7edb738018e0e91c257a6fc94bdba50daf899f90
SHA256

35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5
SHA512

1ebf580afe38f02ccd6eb9b9875e62e610abf8d826595aaba895deffbab65dba61aba6170a34ffeeb81e4f221be4a4c8073db536ca40afd5731214b2961c1763

Score

10^/10

remcos 28 agosto rat

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

28 AGOSTO

C2

ruthy.qdp6fj1uji.xyz:2047

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rcm
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-J3WQVO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

932 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

cmd.exe

description pid process target process

PID 568 set thread context of 1112 568 cmd.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

932 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

932 rundll32.exe

pid	process
932	rundll32.exe

description	pid	process	target process
PID 568 set thread context of 1112	568	cmd.exe	iexplore.exe

pid	process
932	rundll32.exe

pid	process
932	rundll32.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5.exerundll32.execmd.exe

description	pid	process	target process
PID 1468 wrote to memory of 932	1468	35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5.exe	rundll32.exe
PID 1468 wrote to memory of 932	1468	35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5.exe	rundll32.exe
PID 1468 wrote to memory of 932	1468	35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5.exe	rundll32.exe
PID 1468 wrote to memory of 932	1468	35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5.exe	rundll32.exe
PID 1468 wrote to memory of 932	1468	35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5.exe	rundll32.exe
PID 1468 wrote to memory of 932	1468	35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5.exe	rundll32.exe
PID 1468 wrote to memory of 932	1468	35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5.exe	rundll32.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 932 wrote to memory of 568	932	rundll32.exe	cmd.exe
PID 568 wrote to memory of 1112	568	cmd.exe	iexplore.exe
PID 568 wrote to memory of 1112	568	cmd.exe	iexplore.exe
PID 568 wrote to memory of 1112	568	cmd.exe	iexplore.exe
PID 568 wrote to memory of 1112	568	cmd.exe	iexplore.exe
PID 568 wrote to memory of 1112	568	cmd.exe	iexplore.exe
PID 568 wrote to memory of 1112	568	cmd.exe	iexplore.exe
PID 568 wrote to memory of 1112	568	cmd.exe	iexplore.exe
PID 568 wrote to memory of 1112	568	cmd.exe	iexplore.exe
PID 568 wrote to memory of 1112	568	cmd.exe	iexplore.exe
PID 568 wrote to memory of 1112	568	cmd.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5.exe
"C:\Users\Admin\AppData\Local\Temp\35d63d61f12598d5b85475f85cdad05bee0e0afb3c3e65799d1325a224ac66d5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe Galvanometry,Pickaninny
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:568

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
PID:1112

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Firebug
MD5
4a2aa776c3969ee16131b2ba39be9f88

SHA1
55fcc55cbcfdd5bef4d93089aec4945769868258

SHA256
5eb32341334c7cde4bec546203b3262a5dbe61754a3178cc7d3771194ad8da4b

SHA512
0cff449f3e90e6bf573e9d6f8e495512d6a16d5ef95bdae2f816058f345b4e6935360a0ceb83310664af38b2a2b1ebf5a7ac0b68a43e3819e349a8d225b10bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Galvanometry.DLL
MD5
bc2c79b3780c12c0d508b4fbf37ef15c

SHA1
5b2328a38ff40d57c78a8174ebdc9a7f5553c35f

SHA256
c0852f62db36c97bb577b840dd58eafd4cd579d09114e2f5c5cbd5858378b598

SHA512
9c73429153d6a9b546ff210ec1ef13d2302687992bab26192bb735e9557bec94fc4d6f2ba790afc32933277c1a720cd2015aa19e6522c00150f32fe95cc95136

Download Submit
\Users\Admin\AppData\Local\Temp\Galvanometry.dll
MD5
bc2c79b3780c12c0d508b4fbf37ef15c

SHA1
5b2328a38ff40d57c78a8174ebdc9a7f5553c35f

SHA256
c0852f62db36c97bb577b840dd58eafd4cd579d09114e2f5c5cbd5858378b598

SHA512
9c73429153d6a9b546ff210ec1ef13d2302687992bab26192bb735e9557bec94fc4d6f2ba790afc32933277c1a720cd2015aa19e6522c00150f32fe95cc95136

Download Submit
memory/568-64-0x00000000779E0000-0x0000000077B89000-memory.dmp

Filesize
1.7MB

Download
memory/568-69-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/568-70-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/932-59-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/932-60-0x0000000074E10000-0x0000000074E68000-memory.dmp

Filesize
352KB

Download
memory/932-61-0x0000000076FB0000-0x0000000076FE5000-memory.dmp

Filesize
212KB

Download
memory/932-62-0x00000000779E0000-0x0000000077B89000-memory.dmp

Filesize
1.7MB

Download
memory/1468-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing