remcos | 87efed1d252426d609deebe96c92cfe417b72aec54c39cb7c61d8aa80f8630ae

General

Target

ORDINE_I.exe
Size

456KB
MD5

2d70d1014e14a4dd6d7946bc671171eb
SHA1

55a4372861d107d745fa45db3f300b642ac9004f
SHA256

04ebd3663b3066198bb0b96dcc074e93b281d65effa52f4607479b7ed4cda16b
SHA512

6082e01bc9539d5b353e85dbb844431b7a166f94386bb11047059dfb627909398cf6dcf843033ddcadc78184c4d5ecc7c988f39bec9c9791d95924efa9687168

Score

10^/10

remcos cashoutrtd 2019 rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

cashoutRTD 2019

C2

cashout2018.ddnss.de:2018

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
dmw.exe
copy_folder
dmw
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
winloga
keylog_path
%AppData%
mouse_option
false
mutex
dmw-ID6F8B
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
dmw
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 20 IoCs

Processes:

cmd.exe

flow	pid	process
28	1220	cmd.exe
29	1220	cmd.exe
36	1220	cmd.exe
37	1220	cmd.exe
39	1220	cmd.exe
40	1220	cmd.exe
43	1220	cmd.exe
44	1220	cmd.exe
46	1220	cmd.exe
47	1220	cmd.exe
49	1220	cmd.exe
50	1220	cmd.exe
52	1220	cmd.exe
53	1220	cmd.exe
55	1220	cmd.exe
56	1220	cmd.exe
58	1220	cmd.exe
59	1220	cmd.exe
61	1220	cmd.exe
62	1220	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

ORDINE_I.exe

pid process

2728 ORDINE_I.exe
2728 ORDINE_I.exe
Drops file in Windows directory 1 IoCs

Processes:

ORDINE_I.exe

description ioc process

File opened for modification C:\Windows\win.ini ORDINE_I.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ORDINE_I.exe

pid process

2728 ORDINE_I.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ORDINE_I.exe

pid process

2728 ORDINE_I.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

1220 cmd.exe

pid	process
2728	ORDINE_I.exe
2728	ORDINE_I.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	ORDINE_I.exe

pid	process
2728	ORDINE_I.exe

pid	process
2728	ORDINE_I.exe

pid	process
1220	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ORDINE_I.exe

description	pid	process	target process
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe
PID 2728 wrote to memory of 1220	2728	ORDINE_I.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ORDINE_I.exe
"C:\Users\Admin\AppData\Local\Temp\ORDINE_I.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\abscissas.dll
MD5
ff3f76bf3b71a26909438b543d2667c4

SHA1
d185d8a472ce338a11a5aa5b6c83607f2e725152

SHA256
4281980a36a06d96c8e3a4ecebbb05698e3c47b3229f5ab102f4e55ebb6a0c5e

SHA512
8b252655eda88a1f28a9e3dc94de932b44642698d5b467c3bcf39249ac3f964872171ec5ce7a134868719af16d22064a0631967713cc1be4aed7db3cbd37ea73

Download Submit
\Users\Admin\AppData\Local\Temp\nsyD89F.tmp\vivo.dll
MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/1220-128-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

Filesize
24KB

Download
memory/1220-129-0x00000000771F9000-0x00000000771FA000-memory.dmp

Filesize
4KB

Download
memory/1220-133-0x00007FFFBB160000-0x00007FFFBB33B000-memory.dmp

Filesize
1.9MB

Download
memory/1220-154-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-118-0x00000000023A0000-0x00000000023AB000-memory.dmp

Filesize
44KB

Download
memory/2728-122-0x0000000002350000-0x0000000002354000-memory.dmp

Filesize
16KB

Download
memory/2728-123-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2728-124-0x0000000003040000-0x0000000003141000-memory.dmp

Filesize
1.0MB

Download
memory/2728-125-0x00007FFFBB160000-0x00007FFFBB33B000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing