remcos | 3d39d6df58edba7289a16126befbba677e82d1ecdebaf1a2d8ca03ed05ab2a79

General

Target

Agenzia_Entrate_Applicazione.exe
Size

485KB
MD5

6bf3b86782b7911b76029737162ae206
SHA1

1b8009865c79b5674734ba4ce9a6905bed78182e
SHA256

535f67c47f811aa5b421904959dd6931396a52cdbb9ddb69bface741356dbbef
SHA512

385291ef2ba36b39fd6c7c5af08ad9127d60685e28d69e55152341f522b79f2f4ca3c1aa9e13575dbce0699d976b34dbb5985d08495ca22dc20ed323b7d80ba1
SSDEEP

6144:+d9GVCixOlHU+A/d6tUHOApJBIojiXEL6NSzpYJ8cLmBTXR/TXRqY+xBBYZK:+rFlGIUdbBWEL6GpYJpqy3p

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

listpoints.online:6090

retghrtgwtrgtg.bounceme.net:3839

listpoints.click:7020

datastream.myvnc.com:5225

gservicese.com:2718

center.onthewifi.com:8118

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BXAQVH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 1728	2044	Agenzia_Entrate_Applicazione.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2044	Agenzia_Entrate_Applicazione.exe
1728	cmd.exe
1728	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2044	Agenzia_Entrate_Applicazione.exe
1728	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1728	2044	Agenzia_Entrate_Applicazione.exe	28
PID 2044 wrote to memory of 1728	2044	Agenzia_Entrate_Applicazione.exe	28
PID 2044 wrote to memory of 1728	2044	Agenzia_Entrate_Applicazione.exe	28
PID 2044 wrote to memory of 1728	2044	Agenzia_Entrate_Applicazione.exe	28
PID 2044 wrote to memory of 1728	2044	Agenzia_Entrate_Applicazione.exe	28
PID 1728 wrote to memory of 600	1728	cmd.exe	30
PID 1728 wrote to memory of 600	1728	cmd.exe	30
PID 1728 wrote to memory of 600	1728	cmd.exe	30
PID 1728 wrote to memory of 600	1728	cmd.exe	30
PID 1728 wrote to memory of 600	1728	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\Agenzia_Entrate_Applicazione.exe
"C:\Users\Admin\AppData\Local\Temp\Agenzia_Entrate_Applicazione.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\247cd2ac

Filesize
1.1MB

MD5
9c2bb62e63e9e0e1997e973e49d482b3

SHA1
e94e65a5bf0a6aa9a653b33e7033180fbdc236ca

SHA256
cb5a342e601a26c1181efe25e1373fffe3950a2665713af8d00f6409810364af

SHA512
a02c9e7c6e8d31b94ac0c83a1728fba1421b165c75a179f6e7df032d42d99a8c4b3d599fea3ee129e024db1cc94d5bbe64ae4fa567b36a46692c84b65d1f6e21

Download Submit
memory/600-58-0x00000000776F0000-0x0000000077899000-memory.dmp

Filesize
1.7MB

Download
memory/600-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/600-72-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/600-71-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/600-70-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/600-68-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/600-67-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/600-59-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/600-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/600-62-0x0000000000EB0000-0x0000000001131000-memory.dmp

Filesize
2.5MB

Download
memory/600-64-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/600-61-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/600-63-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1728-57-0x0000000074E40000-0x0000000074FB4000-memory.dmp

Filesize
1.5MB

Download
memory/1728-54-0x0000000074E40000-0x0000000074FB4000-memory.dmp

Filesize
1.5MB

Download
memory/1728-55-0x0000000074E40000-0x0000000074FB4000-memory.dmp

Filesize
1.5MB

Download
memory/1728-9-0x00000000776F0000-0x0000000077899000-memory.dmp

Filesize
1.7MB

Download
memory/1728-7-0x0000000074E40000-0x0000000074FB4000-memory.dmp

Filesize
1.5MB

Download
memory/2044-0-0x0000000074E40000-0x0000000074FB4000-memory.dmp

Filesize
1.5MB

Download
memory/2044-4-0x0000000074E40000-0x0000000074FB4000-memory.dmp

Filesize
1.5MB

Download
memory/2044-1-0x00000000776F0000-0x0000000077899000-memory.dmp

Filesize
1.7MB

Download
memory/2044-5-0x0000000074E40000-0x0000000074FB4000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing