remcos | dbabda1495d2b5098963228c01277cc90925c0e5ebd8e731b5760b818423cb3d

General

Target

CMR AND PACKINGLIST.exe
Size

1.1MB
MD5

04fb2ce6e058a87f0a13bbb214a427bf
SHA1

ae2199326c3fb6e541645820cfcbc3904dabb65d
SHA256

0591c0db7c2e5d407339e854e5c10adbd63c890c72e6709256829a2001b4f164
SHA512

09bbc925672a60aaf19ec3405ebe072896fd73f4fa65d6954d519129ed93637e0dfcd554bc42a9bf1306c36d0a8ea94f502af679155bf7eaf8d7e256e9f95dc0

Score

10^/10

remcos dreamchaser rat

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

dreamchaser

C2

naninani11.ddns.net:7070

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
windows.exe
copy_folder
file
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-413F1M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CMR AND PACKINGLIST.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	CMR AND PACKINGLIST.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

CMR AND PACKINGLIST.exe

description pid process target process

PID 2764 set thread context of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1600 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

CMR AND PACKINGLIST.exepowershell.exepowershell.exe

pid process

2764 CMR AND PACKINGLIST.exe
4068 powershell.exe
3472 powershell.exe
2764 CMR AND PACKINGLIST.exe
4068 powershell.exe
3472 powershell.exe

description	pid	process	target process
PID 2764 set thread context of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe

pid	process
1600	schtasks.exe

pid	process
2764	CMR AND PACKINGLIST.exe
4068	powershell.exe
3472	powershell.exe
2764	CMR AND PACKINGLIST.exe
4068	powershell.exe
3472	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

CMR AND PACKINGLIST.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2764	CMR AND PACKINGLIST.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CMR AND PACKINGLIST.exe

pid process

752 CMR AND PACKINGLIST.exe

pid	process
752	CMR AND PACKINGLIST.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

CMR AND PACKINGLIST.exeCMR AND PACKINGLIST.exe

description	pid	process	target process
PID 2764 wrote to memory of 3472	2764	CMR AND PACKINGLIST.exe	powershell.exe
PID 2764 wrote to memory of 3472	2764	CMR AND PACKINGLIST.exe	powershell.exe
PID 2764 wrote to memory of 3472	2764	CMR AND PACKINGLIST.exe	powershell.exe
PID 2764 wrote to memory of 4068	2764	CMR AND PACKINGLIST.exe	powershell.exe
PID 2764 wrote to memory of 4068	2764	CMR AND PACKINGLIST.exe	powershell.exe
PID 2764 wrote to memory of 4068	2764	CMR AND PACKINGLIST.exe	powershell.exe
PID 2764 wrote to memory of 1600	2764	CMR AND PACKINGLIST.exe	schtasks.exe
PID 2764 wrote to memory of 1600	2764	CMR AND PACKINGLIST.exe	schtasks.exe
PID 2764 wrote to memory of 1600	2764	CMR AND PACKINGLIST.exe	schtasks.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2764 wrote to memory of 752	2764	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 752 wrote to memory of 5056	752	CMR AND PACKINGLIST.exe	svchost.exe
PID 752 wrote to memory of 5056	752	CMR AND PACKINGLIST.exe	svchost.exe
PID 752 wrote to memory of 5056	752	CMR AND PACKINGLIST.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe
"C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mWYdFKE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mWYdFKE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp19B2.tmp"
2⤵
- Creates scheduled task(s)
PID:1600

C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe
"C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
791e71ba7bcb8bb9c6aab36ecc35db06

SHA1
06cec711e333af20bd230b03ef4104930bf354c0

SHA256
3684afbfc80b5b422e6199b32bd80d3fa87c34b828c758ada15bb9258f73b17a

SHA512
493488f434eaf9c12303fae2b93a92bbe1dec57470004a3fa04f4cccb3978abe852b43d2306b21da21a652bce773b9d788f315a3c9bed662883f16e68ad02d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp19B2.tmp
Filesize
1KB

MD5
f09987669cb375652e445100adb97ef1

SHA1
899f6be8b5efc3804f7266f1015e1c8a0d975551

SHA256
883e3970b8b2d90101dd30fa1e337dc0d261f108354c3a3aa093e8872655d564

SHA512
731aa6b30c5b8497838e1883d94a5966b77445bf845548a400ef76e73b52d023b13cae8767baa0017af141eb0765214b47f27b939311c9fd7358d2c8a61b4216

Download Submit
memory/752-151-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/752-147-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/752-145-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/752-146-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/752-144-0x0000000000000000-mapping.dmp

Download
memory/1600-138-0x0000000000000000-mapping.dmp

Download
memory/2764-135-0x0000000009C10000-0x0000000009C76000-memory.dmp

Filesize
408KB

Download
memory/2764-131-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/2764-130-0x0000000000A30000-0x0000000000B52000-memory.dmp

Filesize
1.1MB

Download
memory/2764-132-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/2764-133-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/2764-134-0x0000000009100000-0x000000000919C000-memory.dmp

Filesize
624KB

Download
memory/3472-136-0x0000000000000000-mapping.dmp

Download
memory/3472-158-0x0000000006DA0000-0x0000000006DAA000-memory.dmp

Filesize
40KB

Download
memory/3472-140-0x0000000004C80000-0x00000000052A8000-memory.dmp

Filesize
6.2MB

Download
memory/3472-162-0x0000000007050000-0x0000000007058000-memory.dmp

Filesize
32KB

Download
memory/3472-161-0x0000000007070000-0x000000000708A000-memory.dmp

Filesize
104KB

Download
memory/3472-150-0x0000000005A10000-0x0000000005A2E000-memory.dmp

Filesize
120KB

Download
memory/3472-143-0x0000000004BF0000-0x0000000004C56000-memory.dmp

Filesize
408KB

Download
memory/3472-152-0x0000000006BE0000-0x0000000006C12000-memory.dmp

Filesize
200KB

Download
memory/3472-153-0x0000000073680000-0x00000000736CC000-memory.dmp

Filesize
304KB

Download
memory/3472-160-0x0000000006F60000-0x0000000006F6E000-memory.dmp

Filesize
56KB

Download
memory/3472-155-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

Filesize
120KB

Download
memory/3472-156-0x0000000007370000-0x00000000079EA000-memory.dmp

Filesize
6.5MB

Download
memory/3472-159-0x0000000006FB0000-0x0000000007046000-memory.dmp

Filesize
600KB

Download
memory/3472-139-0x0000000004480000-0x00000000044B6000-memory.dmp

Filesize
216KB

Download
memory/4068-157-0x0000000006E00000-0x0000000006E1A000-memory.dmp

Filesize
104KB

Download
memory/4068-154-0x0000000073680000-0x00000000736CC000-memory.dmp

Filesize
304KB

Download
memory/4068-149-0x0000000005B00000-0x0000000005B1E000-memory.dmp

Filesize
120KB

Download
memory/4068-142-0x0000000004B50000-0x0000000004B72000-memory.dmp

Filesize
136KB

Download
memory/4068-137-0x0000000000000000-mapping.dmp

Download
memory/5056-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads