remcos | 99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928

General

Target

99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe
Size

775KB
MD5

69dfc61329cd3e395a08f14a86bb6b24
SHA1

12bf261e27956522b0990a7ea87cbfdf03ce9321
SHA256

99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928
SHA512

5b6bd87748111a15912bca528b0847dd71dbd6ed18a3a28fcec4e6916a7f9601156a69d557279dffa388d136614b853ed8ef8ddb8a76427220b854cce6e8a705

Score

10^/10

remcos veintiocho rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

VEINTIOCHO

C2

veintisieteremc.duckdns.org:1011

veintiochoremc.duckdns.org:1011

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-98T9IZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 6 IoCs

Processes:

cmd.exe

flow pid process

3 1396 cmd.exe
5 1396 cmd.exe
6 1396 cmd.exe
7 1396 cmd.exe
9 1396 cmd.exe
11 1396 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2044 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\sort.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

2044 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

2044 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

1396 cmd.exe

flow	pid	process
3	1396	cmd.exe
5	1396	cmd.exe
6	1396	cmd.exe
7	1396	cmd.exe
9	1396	cmd.exe
11	1396	cmd.exe

pid	process
2044	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\sort.job	cmd.exe

pid	process
2044	rundll32.exe

pid	process
2044	rundll32.exe

pid	process
1396	cmd.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exerundll32.exe

description	pid	process	target process
PID 1292 wrote to memory of 2044	1292	99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe	rundll32.exe
PID 1292 wrote to memory of 2044	1292	99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe	rundll32.exe
PID 1292 wrote to memory of 2044	1292	99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe	rundll32.exe
PID 1292 wrote to memory of 2044	1292	99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe	rundll32.exe
PID 1292 wrote to memory of 2044	1292	99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe	rundll32.exe
PID 1292 wrote to memory of 2044	1292	99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe	rundll32.exe
PID 1292 wrote to memory of 2044	1292	99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe	rundll32.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 1396	2044	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe
"C:\Users\Admin\AppData\Local\Temp\99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe GuestRummy,Michelle
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GuestRummy.DLL
MD5
fc2b4128dbe4d1885b5f3297b8d77e3d

SHA1
239043c06a87fd038f242a240d64996acd7de8b9

SHA256
95965a6f6a610d3cd68ab6f2eabdb2fb23c29db258761ea8b547c754fe11ce4e

SHA512
a477136f2ebf89257197d86cd35b050e7fd0ad8cce97f3d532ac9749ddb9e4dfc9bce365543ab812b80a182f10f631bddb322bb9a89e745cb75a7116e2061f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Widget
MD5
e0c846e4fef7c6fe7ec0a47d17be4f52

SHA1
3ba713e6692628483d009b49924769858edf7896

SHA256
fd30c39c9be4bc5676acb04b175daf6859d9d40d20760d4d4300cbd4ce361cfc

SHA512
8434580551afc8f5ff2945facfcc9e2284829416e0cf94febc9bbe2bc950eb226301777e33f4b056944cbb48803173f08a1f8ceaf73a60a07d39f8d1ea62d357

Download Submit
\Users\Admin\AppData\Local\Temp\GuestRummy.dll
MD5
fc2b4128dbe4d1885b5f3297b8d77e3d

SHA1
239043c06a87fd038f242a240d64996acd7de8b9

SHA256
95965a6f6a610d3cd68ab6f2eabdb2fb23c29db258761ea8b547c754fe11ce4e

SHA512
a477136f2ebf89257197d86cd35b050e7fd0ad8cce97f3d532ac9749ddb9e4dfc9bce365543ab812b80a182f10f631bddb322bb9a89e745cb75a7116e2061f84

Download Submit
memory/1292-54-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1396-63-0x00000000779E0000-0x0000000077B89000-memory.dmp

Filesize
1.7MB

Download
memory/1396-67-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1396-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2044-59-0x0000000077690000-0x00000000776C5000-memory.dmp

Filesize
212KB

Download
memory/2044-60-0x00000000779E0000-0x0000000077B89000-memory.dmp

Filesize
1.7MB

Download
memory/2044-61-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing