remcos | 3d39d6df58edba7289a16126befbba677e82d1ecdebaf1a2d8ca03ed05ab2a79

General

Target

Agenzia_Entrate_Applicazione.exe
Size

485KB
MD5

6bf3b86782b7911b76029737162ae206
SHA1

1b8009865c79b5674734ba4ce9a6905bed78182e
SHA256

535f67c47f811aa5b421904959dd6931396a52cdbb9ddb69bface741356dbbef
SHA512

385291ef2ba36b39fd6c7c5af08ad9127d60685e28d69e55152341f522b79f2f4ca3c1aa9e13575dbce0699d976b34dbb5985d08495ca22dc20ed323b7d80ba1
SSDEEP

6144:+d9GVCixOlHU+A/d6tUHOApJBIojiXEL6NSzpYJ8cLmBTXR/TXRqY+xBBYZK:+rFlGIUdbBWEL6GpYJpqy3p

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

listpoints.online:6090

retghrtgwtrgtg.bounceme.net:3839

listpoints.click:7020

datastream.myvnc.com:5225

gservicese.com:2718

center.onthewifi.com:8118

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BXAQVH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3652 set thread context of 888	3652	Agenzia_Entrate_Applicazione.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3652	Agenzia_Entrate_Applicazione.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3652	Agenzia_Entrate_Applicazione.exe
888	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1568	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 888	3652	Agenzia_Entrate_Applicazione.exe	86
PID 3652 wrote to memory of 888	3652	Agenzia_Entrate_Applicazione.exe	86
PID 3652 wrote to memory of 888	3652	Agenzia_Entrate_Applicazione.exe	86
PID 3652 wrote to memory of 888	3652	Agenzia_Entrate_Applicazione.exe	86
PID 888 wrote to memory of 5092	888	cmd.exe	101
PID 888 wrote to memory of 5092	888	cmd.exe	101
PID 888 wrote to memory of 5092	888	cmd.exe	101
PID 888 wrote to memory of 5092	888	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\Agenzia_Entrate_Applicazione.exe
"C:\Users\Admin\AppData\Local\Temp\Agenzia_Entrate_Applicazione.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:5092

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1440ed42

Filesize
1.1MB

MD5
22df24448964b6a2a0b3c7cb940d126a

SHA1
6e25f0928b204a342b9bf347982601ffa9e90110

SHA256
1eb23e13394a1ac4cb9b4cc5c8417841f7eabfb85214ecfab11d5c8c32f84849

SHA512
231b34e5a5198dfe0751b924770c7ba38c802b535c70f2f2be759579c3f0c2180544c3d21b8f2da5c7ea6e839180cfb7437f295eab959e719594fcfbb1e0d442

Download Submit
memory/888-9-0x00007FF870E30000-0x00007FF871025000-memory.dmp

Filesize
2.0MB

Download
memory/888-14-0x00000000758D0000-0x0000000075A4B000-memory.dmp

Filesize
1.5MB

Download
memory/888-12-0x00000000758D0000-0x0000000075A4B000-memory.dmp

Filesize
1.5MB

Download
memory/888-11-0x00000000758D0000-0x0000000075A4B000-memory.dmp

Filesize
1.5MB

Download
memory/888-7-0x00000000758D0000-0x0000000075A4B000-memory.dmp

Filesize
1.5MB

Download
memory/1568-54-0x00000260D4100000-0x00000260D4101000-memory.dmp

Filesize
4KB

Download
memory/1568-64-0x00000260D2D30000-0x00000260D2D31000-memory.dmp

Filesize
4KB

Download
memory/1568-89-0x00000260D2F80000-0x00000260D2F81000-memory.dmp

Filesize
4KB

Download
memory/1568-88-0x00000260D2E70000-0x00000260D2E71000-memory.dmp

Filesize
4KB

Download
memory/1568-87-0x00000260D2E70000-0x00000260D2E71000-memory.dmp

Filesize
4KB

Download
memory/1568-85-0x00000260D2E60000-0x00000260D2E61000-memory.dmp

Filesize
4KB

Download
memory/1568-73-0x00000260D2C60000-0x00000260D2C61000-memory.dmp

Filesize
4KB

Download
memory/1568-70-0x00000260D2D20000-0x00000260D2D21000-memory.dmp

Filesize
4KB

Download
memory/1568-67-0x00000260D2D30000-0x00000260D2D31000-memory.dmp

Filesize
4KB

Download
memory/1568-21-0x00000260CAA40000-0x00000260CAA50000-memory.dmp

Filesize
64KB

Download
memory/1568-37-0x00000260CAB40000-0x00000260CAB50000-memory.dmp

Filesize
64KB

Download
memory/1568-53-0x00000260D2FE0000-0x00000260D2FE1000-memory.dmp

Filesize
4KB

Download
memory/1568-65-0x00000260D2D20000-0x00000260D2D21000-memory.dmp

Filesize
4KB

Download
memory/1568-55-0x00000260D4100000-0x00000260D4101000-memory.dmp

Filesize
4KB

Download
memory/1568-56-0x00000260D4100000-0x00000260D4101000-memory.dmp

Filesize
4KB

Download
memory/1568-57-0x00000260D4100000-0x00000260D4101000-memory.dmp

Filesize
4KB

Download
memory/1568-58-0x00000260D4100000-0x00000260D4101000-memory.dmp

Filesize
4KB

Download
memory/1568-59-0x00000260D4100000-0x00000260D4101000-memory.dmp

Filesize
4KB

Download
memory/1568-60-0x00000260D4100000-0x00000260D4101000-memory.dmp

Filesize
4KB

Download
memory/1568-61-0x00000260D4100000-0x00000260D4101000-memory.dmp

Filesize
4KB

Download
memory/1568-62-0x00000260D4100000-0x00000260D4101000-memory.dmp

Filesize
4KB

Download
memory/1568-63-0x00000260D4100000-0x00000260D4101000-memory.dmp

Filesize
4KB

Download
memory/3652-5-0x00000000758D0000-0x0000000075A4B000-memory.dmp

Filesize
1.5MB

Download
memory/3652-0-0x00000000758D0000-0x0000000075A4B000-memory.dmp

Filesize
1.5MB

Download
memory/3652-1-0x00007FF870E30000-0x00007FF871025000-memory.dmp

Filesize
2.0MB

Download
memory/3652-4-0x00000000758D0000-0x0000000075A4B000-memory.dmp

Filesize
1.5MB

Download
memory/5092-20-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5092-19-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5092-18-0x00000000005D0000-0x0000000000A03000-memory.dmp

Filesize
4.2MB

Download
memory/5092-16-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5092-15-0x00007FF870E30000-0x00007FF871025000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing