remcos | 842865b9125bc84672070b327eba99d3f8f74436c804acb0d1cae5cb838824b9

General

Target

CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
Size

372KB
MD5

a962399ee6a55b52ad2432702a800597
SHA1

2ae09b6b627b86bb4a6e2e7b2d33fdc6f8e1579f
SHA256

329886b8af71b45a41f94d0d9a69761b6b6fe80d36b7f7a6201fd97dc33234d5
SHA512

7914d464cbba0de5392a19d9bd986be7246fca19d15cad5303cf81f1a9dd56cbf94729bd5d1f7f2b2b3e0cb545bb689cc6114b8ee08a8c508c4f8d1eeb86b8a6

Score

10^/10

remcos snakebot graced coreentity rat rezer0 snakebot

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

GRACED

C2

thankyoulord.ddns.net:5050

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-0S5XD9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/2032-56-0x0000000000260000-0x0000000000268000-memory.dmp	coreentity

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
snakebot

Contains SnakeBOT related strings 1 IoCs

snakebot

Processes:

resource	yara_rule
behavioral1/memory/2032-54-0x0000000000DE0000-0x0000000000E46000-memory.dmp	snakebot_strings

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/2032-57-0x0000000004250000-0x000000000427C000-memory.dmp	rezer0

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

description pid process target process

PID 2032 set thread context of 1508 2032 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

956 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

pid process

2032 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

description pid process

Token: SeDebugPrivilege 2032 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

pid process

2032 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
2032 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

description	pid	process	target process
PID 2032 set thread context of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe

pid	process
956	schtasks.exe

pid	process
2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

description	pid	process
Token: SeDebugPrivilege	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

pid	process
2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

description	pid	process	target process
PID 2032 wrote to memory of 956	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	schtasks.exe
PID 2032 wrote to memory of 956	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	schtasks.exe
PID 2032 wrote to memory of 956	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	schtasks.exe
PID 2032 wrote to memory of 956	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	schtasks.exe
PID 2032 wrote to memory of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 2032 wrote to memory of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 2032 wrote to memory of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 2032 wrote to memory of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 2032 wrote to memory of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 2032 wrote to memory of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 2032 wrote to memory of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 2032 wrote to memory of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 2032 wrote to memory of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 2032 wrote to memory of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 2032 wrote to memory of 1508	2032	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CfGuVGvIV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB4C2.tmp"
2⤵
- Creates scheduled task(s)
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB4C2.tmp
Filesize
1KB

MD5
ee1ed86147dde107904d30a585a6b50d

SHA1
83c33b93fdcbc8d4790faba9fb17bd41a5316d49

SHA256
8c7ee9c485f2fe1f45fcde438f94b694c206ffbea412ca9cb8e3fb7279b9f4c3

SHA512
61cecb49215e8a8e3c4a84628df30a154e49a807ce0703c5b6fb5bedb368c6ab5b3af5a9ac831cdcacb3c9fcafda69116843f9d07712256763a8ac9fcee6e3b4

Download Submit
memory/956-58-0x0000000000000000-mapping.dmp

Download
memory/1508-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1508-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1508-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1508-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1508-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1508-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1508-70-0x0000000000413A84-mapping.dmp

Download
memory/1508-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1508-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1508-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2032-57-0x0000000004250000-0x000000000427C000-memory.dmp

Filesize
176KB

Download
memory/2032-54-0x0000000000DE0000-0x0000000000E46000-memory.dmp

Filesize
408KB

Download
memory/2032-55-0x0000000075221000-0x0000000075223000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads