remcos | 6f15d411c1fadf4dbbd4b4ed757152e3811827c37daadd52bc165e52584d88ef

General

Target

CMR AND PACKINGLIST.exe
Size

1.1MB
MD5

04fb2ce6e058a87f0a13bbb214a427bf
SHA1

ae2199326c3fb6e541645820cfcbc3904dabb65d
SHA256

0591c0db7c2e5d407339e854e5c10adbd63c890c72e6709256829a2001b4f164
SHA512

09bbc925672a60aaf19ec3405ebe072896fd73f4fa65d6954d519129ed93637e0dfcd554bc42a9bf1306c36d0a8ea94f502af679155bf7eaf8d7e256e9f95dc0

Score

10^/10

remcos dreamchaser rat

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

dreamchaser

C2

naninani11.ddns.net:7070

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
windows.exe
copy_folder
file
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-413F1M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

CMR AND PACKINGLIST.exe

description pid process target process

PID 1452 set thread context of 1840 1452 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1360 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

CMR AND PACKINGLIST.exepowershell.exepowershell.exe

pid process

1452 CMR AND PACKINGLIST.exe
1452 CMR AND PACKINGLIST.exe
740 powershell.exe
316 powershell.exe

description	pid	process	target process
PID 1452 set thread context of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe

pid	process
1360	schtasks.exe

pid	process
1452	CMR AND PACKINGLIST.exe
1452	CMR AND PACKINGLIST.exe
740	powershell.exe
316	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

CMR AND PACKINGLIST.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1452	CMR AND PACKINGLIST.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CMR AND PACKINGLIST.exe

pid process

1840 CMR AND PACKINGLIST.exe

pid	process
1840	CMR AND PACKINGLIST.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

CMR AND PACKINGLIST.exeCMR AND PACKINGLIST.exe

description	pid	process	target process
PID 1452 wrote to memory of 740	1452	CMR AND PACKINGLIST.exe	powershell.exe
PID 1452 wrote to memory of 740	1452	CMR AND PACKINGLIST.exe	powershell.exe
PID 1452 wrote to memory of 740	1452	CMR AND PACKINGLIST.exe	powershell.exe
PID 1452 wrote to memory of 740	1452	CMR AND PACKINGLIST.exe	powershell.exe
PID 1452 wrote to memory of 316	1452	CMR AND PACKINGLIST.exe	powershell.exe
PID 1452 wrote to memory of 316	1452	CMR AND PACKINGLIST.exe	powershell.exe
PID 1452 wrote to memory of 316	1452	CMR AND PACKINGLIST.exe	powershell.exe
PID 1452 wrote to memory of 316	1452	CMR AND PACKINGLIST.exe	powershell.exe
PID 1452 wrote to memory of 1360	1452	CMR AND PACKINGLIST.exe	schtasks.exe
PID 1452 wrote to memory of 1360	1452	CMR AND PACKINGLIST.exe	schtasks.exe
PID 1452 wrote to memory of 1360	1452	CMR AND PACKINGLIST.exe	schtasks.exe
PID 1452 wrote to memory of 1360	1452	CMR AND PACKINGLIST.exe	schtasks.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1452 wrote to memory of 1840	1452	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 1840 wrote to memory of 1784	1840	CMR AND PACKINGLIST.exe	svchost.exe
PID 1840 wrote to memory of 1784	1840	CMR AND PACKINGLIST.exe	svchost.exe
PID 1840 wrote to memory of 1784	1840	CMR AND PACKINGLIST.exe	svchost.exe
PID 1840 wrote to memory of 1784	1840	CMR AND PACKINGLIST.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe
"C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mWYdFKE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mWYdFKE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD50.tmp"
2⤵
- Creates scheduled task(s)
PID:1360

C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe
"C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAD50.tmp
Filesize
1KB

MD5
102b8449e05ec472ca12e774e67ff30d

SHA1
6f5ca929214ccfcaa2bd3660cf3ab8ab2b766e7b

SHA256
0e3bc8dad5336796b9fdb5b54be6b5884d68492cae4739d4835173db654f7c3d

SHA512
48c6cc0930d8663ea0edaf4b9a51a337b2e0ba5df4ffcd54867350be9aff69a4725c32e20a04c5ca69cf10fff5f3c8d436217012e614a5c740ef4c077dfb5e99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e8960d68eef5d44372c3ec60870132fd

SHA1
6f4ca6c21ecc0c6676ed3fb376933edd94884f44

SHA256
59e4bdd4ed56083d27318321038bcf72ebbbc9603f6e2852e8e2a2142bf3bd79

SHA512
8aac42b048c5cba1d395b45c4a117eada36cb5467c4b439738d1d01ab56fdede4da50da897e264ad7143e785cc49a106e5cafb394c69525de3870258050d9653

Download Submit
memory/316-60-0x0000000000000000-mapping.dmp

Download
memory/316-85-0x000000006F270000-0x000000006F81B000-memory.dmp

Filesize
5.7MB

Download
memory/740-58-0x0000000000000000-mapping.dmp

Download
memory/740-83-0x000000006F270000-0x000000006F81B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-61-0x0000000000000000-mapping.dmp

Download
memory/1452-54-0x0000000000C70000-0x0000000000D92000-memory.dmp

Filesize
1.1MB

Download
memory/1452-55-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1452-56-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/1452-57-0x0000000008010000-0x00000000080E8000-memory.dmp

Filesize
864KB

Download
memory/1452-65-0x0000000008660000-0x00000000086E0000-memory.dmp

Filesize
512KB

Download
memory/1840-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-71-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-72-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-73-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-74-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-76-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-79-0x0000000000430472-mapping.dmp

Download
memory/1840-82-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-84-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads