remcos | 532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b

General

Target

532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe
Size

803KB
MD5

b4a7a1d5deedceb08f6e2989072217d1
SHA1

13a5c261c2b59fc416ac4b4af004a858e272df2f
SHA256

532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b
SHA512

e5a01750459bc31a01b05d8f7e96316f1340f2314b079b72a836d4cde18c78b912943e0711c627c435dadc01386e6a64205b0bc301da6852825bb08297d91be6

Score

10^/10

remcos cuarenta rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

CUARENTA

C2

cuarentarem.duckdns.org:1010

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-JV2JVP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 5 IoCs

Processes:

cmd.exe

flow pid process

20 2908 cmd.exe
27 2908 cmd.exe
28 2908 cmd.exe
30 2908 cmd.exe
31 2908 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3672 rundll32.exe

flow	pid	process
20	2908	cmd.exe
27	2908	cmd.exe
28	2908	cmd.exe
30	2908	cmd.exe
31	2908	cmd.exe

pid	process
3672	rundll32.exe

Drops file in Windows directory 2 IoCs

Processes:

532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\	532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe
File created	C:\Windows\Tasks\verifier.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

3672 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

3672 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

2908 cmd.exe

pid	process
3672	rundll32.exe

pid	process
3672	rundll32.exe

pid	process
2908	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exerundll32.exe

description	pid	process	target process
PID 1312 wrote to memory of 3672	1312	532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe	rundll32.exe
PID 1312 wrote to memory of 3672	1312	532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe	rundll32.exe
PID 1312 wrote to memory of 3672	1312	532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe	rundll32.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe
PID 3672 wrote to memory of 2908	3672	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe
"C:\Users\Admin\AppData\Local\Temp\532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe Nightmare,Piggins
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nightmare.DLL
MD5
7df838fef098a5c92d1ee3c3fe292207

SHA1
759e7b6d569bba72c3daea62d7f8f5abee4bd6b5

SHA256
40f4f9c8639a9f232ae1f9ad8bcfd9cc45afeac0cc10bcd771e15980a5451371

SHA512
dbe692db96bf69f1ff77233170799c3180e03fb36ac86d2839565aeeb482fb8d380903e970589617e06f2f5fdca2a976fc95d9580e8d65c355b522d9b0a044d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stilt
MD5
b28841fbb75e22b0737b93bdc157e9f4

SHA1
bcd4846db2897c547dae4bc77e83727ed0a69f8e

SHA256
fc1baf22b5128dd9695304dfc7aa133391ab54f4fe39cfe1752d12f20f3dcb65

SHA512
c251b53de6d4d2e880192cd006de9775b321c386facb4b2c7f666f193663629bd890d89da36273648e7a46eff0123eb910f126b427fa180d2a6eae75ea6e3b5d

Download Submit
\Users\Admin\AppData\Local\Temp\Nightmare.dll
MD5
7df838fef098a5c92d1ee3c3fe292207

SHA1
759e7b6d569bba72c3daea62d7f8f5abee4bd6b5

SHA256
40f4f9c8639a9f232ae1f9ad8bcfd9cc45afeac0cc10bcd771e15980a5451371

SHA512
dbe692db96bf69f1ff77233170799c3180e03fb36ac86d2839565aeeb482fb8d380903e970589617e06f2f5fdca2a976fc95d9580e8d65c355b522d9b0a044d8

Download Submit
memory/2908-123-0x00000000770B9000-0x00000000770BA000-memory.dmp

Filesize
4KB

Download
memory/2908-129-0x00007FFBACF00000-0x00007FFBAD0DB000-memory.dmp

Filesize
1.9MB

Download
memory/2908-140-0x0000000000B20000-0x0000000000B26000-memory.dmp

Filesize
24KB

Download
memory/2908-155-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3672-120-0x0000000074060000-0x00000000740C7000-memory.dmp

Filesize
412KB

Download
memory/3672-121-0x00007FFBACF00000-0x00007FFBAD0DB000-memory.dmp

Filesize
1.9MB

Download
memory/3672-122-0x0000000002D80000-0x0000000002D83000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing