remcos | 99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec

General

Target

99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe
Size

1.1MB
MD5

9f56eea3d0b23e1e3cf30ea12008a33e
SHA1

812a407516f9712c80b70a14d6cdf282c88938c1
SHA256

99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec
SHA512

b552d1c7ddd1a778fc438ad27fa79cbbafc83ccf35ac60663410dd099a848c7f7b703b73399a8626300264327fbb865353a923d6a86dd3d9e377ab226ef7f332

Score

10^/10

remcos zzzzzzzzzzzzzzzzzzzzzzzzzzzzmorningstar rat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

zzzzzzzzzzzzZZZZZZZZZZZZZZZZMORNINGSTAR

C2

dominoduck2098.duckdns.org:9599

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Chrome.exe
copy_folder
Chrome
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
system
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-ZUH30K
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 5 IoCs

Processes:

cmd.exe

flow pid process

23 4008 cmd.exe
26 4008 cmd.exe
27 4008 cmd.exe
29 4008 cmd.exe
30 4008 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3636 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\icsunattend.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

3636 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

3636 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

4008 cmd.exe

flow	pid	process
23	4008	cmd.exe
26	4008	cmd.exe
27	4008	cmd.exe
29	4008	cmd.exe
30	4008	cmd.exe

pid	process
3636	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\icsunattend.job	cmd.exe

pid	process
3636	rundll32.exe

pid	process
3636	rundll32.exe

pid	process
4008	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exerundll32.exe

description	pid	process	target process
PID 3708 wrote to memory of 3636	3708	99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe	rundll32.exe
PID 3708 wrote to memory of 3636	3708	99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe	rundll32.exe
PID 3708 wrote to memory of 3636	3708	99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe	rundll32.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe
PID 3636 wrote to memory of 4008	3636	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe
"C:\Users\Admin\AppData\Local\Temp\99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe Galvanometry,Pickaninny
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Firebug
MD5
556a16a1f32d0f6236c0ef23f0d7ced5

SHA1
05df67f9f7755c65bbb8d951cc3a70da7e57e092

SHA256
ec540a9eee23a6473964eb4772e3a92bdd03da4aac90aee8692600d3318613fc

SHA512
4b62d0c131717237dfe738975a71c28283a6a4497e1bfb309a6c77187558d397dd3af71ba5e8559c347db55156d9f51fe17fa5d9be25f2e72a33487af8c5ce85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Galvanometry.DLL
MD5
bc2c79b3780c12c0d508b4fbf37ef15c

SHA1
5b2328a38ff40d57c78a8174ebdc9a7f5553c35f

SHA256
c0852f62db36c97bb577b840dd58eafd4cd579d09114e2f5c5cbd5858378b598

SHA512
9c73429153d6a9b546ff210ec1ef13d2302687992bab26192bb735e9557bec94fc4d6f2ba790afc32933277c1a720cd2015aa19e6522c00150f32fe95cc95136

Download Submit
\Users\Admin\AppData\Local\Temp\Galvanometry.dll
MD5
bc2c79b3780c12c0d508b4fbf37ef15c

SHA1
5b2328a38ff40d57c78a8174ebdc9a7f5553c35f

SHA256
c0852f62db36c97bb577b840dd58eafd4cd579d09114e2f5c5cbd5858378b598

SHA512
9c73429153d6a9b546ff210ec1ef13d2302687992bab26192bb735e9557bec94fc4d6f2ba790afc32933277c1a720cd2015aa19e6522c00150f32fe95cc95136

Download Submit
memory/3636-121-0x0000000073CE0000-0x0000000073D8D000-memory.dmp

Filesize
692KB

Download
memory/3636-123-0x0000000001010000-0x000000000115A000-memory.dmp

Filesize
1.3MB

Download
memory/3636-122-0x0000000074DC0000-0x0000000074E27000-memory.dmp

Filesize
412KB

Download
memory/3636-124-0x00007FFB7D340000-0x00007FFB7D51B000-memory.dmp

Filesize
1.9MB

Download
memory/4008-125-0x0000000077C79000-0x0000000077C7A000-memory.dmp

Filesize
4KB

Download
memory/4008-131-0x00007FFB7D340000-0x00007FFB7D51B000-memory.dmp

Filesize
1.9MB

Download
memory/4008-151-0x0000000003240000-0x0000000003246000-memory.dmp

Filesize
24KB

Download
memory/4008-157-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing