remcos | 9cc94cedd85793b3be9cb808dfd7e326ba1386b0bae08fee1519c1df8ea40d26

Analysis

max time kernel
155s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2023, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Agenzia_Entrate (16).js
Size

4KB
MD5

6ec662cb2923bc72fbbfbce78331109a
SHA1

fe3d25c1d4164161c4075122b6f99de415da6430
SHA256

9cc94cedd85793b3be9cb808dfd7e326ba1386b0bae08fee1519c1df8ea40d26
SHA512

4e6476aa0442d2533a4a44d3c0bbabc106d72e5266a4e5f5d8bbe4cf36e71506e5474e84017c8d862041927b99c2af14090fc975ec8502cfecd6844f0a441241
SSDEEP

96:l8rOmAMUpSH9hDks9gUQSOv0oKzPqHz8qZ/2EsL/eekJyK:2r8MUwHHDPgUJOJzRt4LGzJyK

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

listpoints.online:6090

retghrtgwtrgtg.bounceme.net:3839

listpoints.click:7020

datastream.myvnc.com:5225

gservicese.com:2718

center.onthewifi.com:8118

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BXAQVH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	852	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1560	fmsign.exe
2240	iTopVPN.exe

Loads dropped DLL 3 IoCs

pid	Process
2240	iTopVPN.exe
2240	iTopVPN.exe
2240	iTopVPN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 768	2240	iTopVPN.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1560	fmsign.exe
1560	fmsign.exe
2240	iTopVPN.exe
2240	iTopVPN.exe
768	cmd.exe
768	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2240	iTopVPN.exe
768	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1560	852	wscript.exe	86
PID 852 wrote to memory of 1560	852	wscript.exe	86
PID 852 wrote to memory of 1560	852	wscript.exe	86
PID 1560 wrote to memory of 2240	1560	fmsign.exe	92
PID 1560 wrote to memory of 2240	1560	fmsign.exe	92
PID 1560 wrote to memory of 2240	1560	fmsign.exe	92
PID 2240 wrote to memory of 768	2240	iTopVPN.exe	93
PID 2240 wrote to memory of 768	2240	iTopVPN.exe	93
PID 2240 wrote to memory of 768	2240	iTopVPN.exe	93
PID 2240 wrote to memory of 768	2240	iTopVPN.exe	93
PID 768 wrote to memory of 568	768	cmd.exe	101
PID 768 wrote to memory of 568	768	cmd.exe	101
PID 768 wrote to memory of 568	768	cmd.exe	101
PID 768 wrote to memory of 568	768	cmd.exe	101

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Agenzia_Entrate (16).js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\Temp\fmsign.exe
  "C:\Windows\Temp\fmsign.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Roaming\ConfigScan_MBR_dbg\iTopVPN.exe
    C:\Users\Admin\AppData\Roaming\ConfigScan_MBR_dbg\iTopVPN.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        
        PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33d5a2e8

Filesize
1.1MB

MD5
70d083c9737aa710338f2b8a28620db1

SHA1
69de4ed23a3c00e4886e6199ee6c9be5a4d73a9a

SHA256
e0b0eee54efb562c6d7bb9d519a31f9e0172429292eb362a59ac3e1bb7497ed3

SHA512
0d8f92a28758489292d3f6e0856801436dba998ed55d6367dba4d45c54fe9d4fe6be9e30876d2095f830b5c8672353af949c1067c64da3366ed188593c0bd4bf

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigScan_MBR_dbg\datastate.dll

Filesize
77KB

MD5
9691470e41fbe0b64e7e6c55a7339020

SHA1
d7128d550ce5cf4a3a22b6d88e1751866b0e2929

SHA256
e2c767ace339bbc25e582dee5756246645e209c7b95ee7782d974f964e2988e1

SHA512
aeef3bd858ca7529d26b24cc6c7e9ea1dfc690b4794220ce76804da3af1e7216f127f3d3aa3e09a9498d04be8c31409ac8dfc5bceceaf74fbe0938ad0b00a326

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigScan_MBR_dbg\datastate.dll

Filesize
77KB

MD5
9691470e41fbe0b64e7e6c55a7339020

SHA1
d7128d550ce5cf4a3a22b6d88e1751866b0e2929

SHA256
e2c767ace339bbc25e582dee5756246645e209c7b95ee7782d974f964e2988e1

SHA512
aeef3bd858ca7529d26b24cc6c7e9ea1dfc690b4794220ce76804da3af1e7216f127f3d3aa3e09a9498d04be8c31409ac8dfc5bceceaf74fbe0938ad0b00a326

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigScan_MBR_dbg\datastate.dll

Filesize
77KB

MD5
9691470e41fbe0b64e7e6c55a7339020

SHA1
d7128d550ce5cf4a3a22b6d88e1751866b0e2929

SHA256
e2c767ace339bbc25e582dee5756246645e209c7b95ee7782d974f964e2988e1

SHA512
aeef3bd858ca7529d26b24cc6c7e9ea1dfc690b4794220ce76804da3af1e7216f127f3d3aa3e09a9498d04be8c31409ac8dfc5bceceaf74fbe0938ad0b00a326

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigScan_MBR_dbg\iTopVPN.exe

Filesize
7.3MB

MD5
fa122de570f5f04feb13ded859bfa96c

SHA1
9cf36c88df020156afeee73adb9c78b931ad7f43

SHA256
55ea17a44d7a9882236b5cda25fa844e62cb1a4fe8d5cdc17b3591f4f98aa802

SHA512
e69c2180c3c08ea15784706a89944d5ccff35fa89a68e23aa60335b65740363804282f8737e7147f78f904180de6cc3e5d1e3ec2f6b255234c3799a8d3567ddb

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigScan_MBR_dbg\iTopVPN.exe

Filesize
7.3MB

MD5
fa122de570f5f04feb13ded859bfa96c

SHA1
9cf36c88df020156afeee73adb9c78b931ad7f43

SHA256
55ea17a44d7a9882236b5cda25fa844e62cb1a4fe8d5cdc17b3591f4f98aa802

SHA512
e69c2180c3c08ea15784706a89944d5ccff35fa89a68e23aa60335b65740363804282f8737e7147f78f904180de6cc3e5d1e3ec2f6b255234c3799a8d3567ddb

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigScan_MBR_dbg\snick.jpeg

Filesize
927KB

MD5
2fa93d348f093527bded284772af2519

SHA1
54684158b9407b6b7028f6995161330ee75babe2

SHA256
74fcf4e10cdd994ea69baa025100c47df6ee4e2eb2ceb15758a01f3e078b098a

SHA512
659b14ac1a38b515abefe2573184a503cefc02557477a1f0862d6086ad0068efe4c8699c13c5c9cad1c8519eeadb5533b9cf21a392e35967b620612d3bfbf46a

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigScan_MBR_dbg\sqlite3.dll

Filesize
682KB

MD5
60585caa505cdeb54650fcca89e67799

SHA1
a9f31b9bd1095005e91a0e3d33eaa4806ea27340

SHA256
e21cd835b7bca8b4ad5445dfa2f072eb30e8988de64778d99ca80f9af9614ca0

SHA512
a27a2787f7ffe349f8e31ad8616a57fef7aeca1e722dab02fcfe7122167e2dbc33e42020b0d00a78af9f6cb584727196d1f929bd822c536e1358769e9b7304cd

Download Submit
C:\Users\Admin\AppData\Roaming\ConfigScan_MBR_dbg\sqlite3.dll

Filesize
682KB

MD5
60585caa505cdeb54650fcca89e67799

SHA1
a9f31b9bd1095005e91a0e3d33eaa4806ea27340

SHA256
e21cd835b7bca8b4ad5445dfa2f072eb30e8988de64778d99ca80f9af9614ca0

SHA512
a27a2787f7ffe349f8e31ad8616a57fef7aeca1e722dab02fcfe7122167e2dbc33e42020b0d00a78af9f6cb584727196d1f929bd822c536e1358769e9b7304cd

Download Submit
C:\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
C:\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
C:\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
b54702f7e532b9f96c07e8afdf5a54ed

SHA1
fce5328a4e8854111bc2deb49b5c11f2ead3e189

SHA256
8cc48f95b1a247eda6d8d095b59083fcf66f6df8c7636e226fda3c84f4b05031

SHA512
fcfb13661076cdd72ca36ea5ada4561bdf7ef406e4921d4043f77833583f41a2bb6f7f3b29f1c7c908ed07676ac9dd8b5cee77c8dbc22e876ce9ce565a7462db

Download Submit
memory/568-68-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-62-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-63-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-57-0x00007FFED9D70000-0x00007FFED9F65000-memory.dmp

Filesize
2.0MB

Download
memory/568-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-67-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-58-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-69-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-60-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-61-0x0000000000CA0000-0x00000000010D3000-memory.dmp

Filesize
4.2MB

Download
memory/568-64-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/768-53-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/768-56-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/768-49-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/768-54-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/768-51-0x00007FFED9D70000-0x00007FFED9F65000-memory.dmp

Filesize
2.0MB

Download
memory/852-2-0x000001E9003B0000-0x000001E9003C0000-memory.dmp

Filesize
64KB

Download
memory/852-14-0x00007FFEBB6D0000-0x00007FFEBC071000-memory.dmp

Filesize
9.6MB

Download
memory/852-0-0x00007FFEBB6D0000-0x00007FFEBC071000-memory.dmp

Filesize
9.6MB

Download
memory/852-1-0x00007FFEBB6D0000-0x00007FFEBC071000-memory.dmp

Filesize
9.6MB

Download
memory/1560-22-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/1560-20-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/1560-16-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1560-17-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1560-43-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/1560-18-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/1560-19-0x00007FFED9D70000-0x00007FFED9F65000-memory.dmp

Filesize
2.0MB

Download
memory/1560-29-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/1560-30-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/2240-40-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/2240-50-0x0000000061C00000-0x0000000061C9C000-memory.dmp

Filesize
624KB

Download
memory/2240-41-0x00007FFED9D70000-0x00007FFED9F65000-memory.dmp

Filesize
2.0MB

Download
memory/2240-42-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/2240-45-0x0000000074960000-0x0000000074ADB000-memory.dmp

Filesize
1.5MB

Download
memory/2240-47-0x0000000000400000-0x0000000000B8B000-memory.dmp

Filesize
7.5MB

Download