remcos | 3f0e07fc6345cc179b7571de8b9fb2bfee2f9bef92a4ec224b4e034cd49e697f

General

Target

g2m.dll
Size

100.0MB
MD5

448de2bbd26b3dd436ad590497c36779
SHA1

595f23c3e5ace472e888bd429107f901cd230d0b
SHA256

4bcaba254171a6aed68dc2c893207b1f5ad3c2d2a650ff18a4d2d1cd0c7f0ed6
SHA512

c747a4d02108fb07e5f967b50a912a181e8f9b664f47d22a6ac0ee785144e272c133bfbfea97d61d53396dd42158fb308c5452575a3d01d02ac06d759d52dbb6
SSDEEP

196608:Mx0ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVsv:MxzvfaEog+4rdbUTFVI

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

flysafemyguy.duckdns.org:4047

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-872KQZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*Chrome = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\VIVA_01.dll,EntryPoint"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 4088 set thread context of 2592 4088 regsvr32.exe regsvr32.exe

description	pid	process	target process
PID 4088 set thread context of 2592	4088	regsvr32.exe	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.execmd.exe

description	pid	process	target process
PID 4264 wrote to memory of 4088	4264	regsvr32.exe	regsvr32.exe
PID 4264 wrote to memory of 4088	4264	regsvr32.exe	regsvr32.exe
PID 4264 wrote to memory of 4088	4264	regsvr32.exe	regsvr32.exe
PID 4088 wrote to memory of 732	4088	regsvr32.exe	cmd.exe
PID 4088 wrote to memory of 732	4088	regsvr32.exe	cmd.exe
PID 4088 wrote to memory of 732	4088	regsvr32.exe	cmd.exe
PID 4088 wrote to memory of 2592	4088	regsvr32.exe	regsvr32.exe
PID 4088 wrote to memory of 2592	4088	regsvr32.exe	regsvr32.exe
PID 4088 wrote to memory of 2592	4088	regsvr32.exe	regsvr32.exe
PID 4088 wrote to memory of 2592	4088	regsvr32.exe	regsvr32.exe
PID 4088 wrote to memory of 2592	4088	regsvr32.exe	regsvr32.exe
PID 732 wrote to memory of 1444	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1444	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1444	732	cmd.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\g2m.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\g2m.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f
4⤵
- Adds Run key to start application
PID:1444

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
3⤵
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:3276

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2592-29-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-11-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-7-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-5-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-28-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-53-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-27-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-51-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-50-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-12-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-13-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-14-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-15-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-16-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-17-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-18-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-19-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-20-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-21-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-22-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-23-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-24-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-25-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-26-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-52-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-6-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-9-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-30-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-31-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-32-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-33-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-34-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-35-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-36-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-37-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-38-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-39-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-40-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-41-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-42-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-43-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-44-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-45-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-46-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-47-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-48-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/2592-49-0x0000000000730000-0x00000000007B2000-memory.dmp

Filesize
520KB

Download
memory/4088-4-0x0000000010000000-0x0000000010F8F000-memory.dmp

Filesize
15.6MB

Download
memory/4088-3-0x0000000010000000-0x0000000010F8F000-memory.dmp

Filesize
15.6MB

Download
memory/4088-1-0x0000000010000000-0x0000000010F8F000-memory.dmp

Filesize
15.6MB

Download
memory/4088-0-0x0000000010000000-0x0000000010F8F000-memory.dmp

Filesize
15.6MB

Download
memory/4088-10-0x0000000010000000-0x0000000010F8F000-memory.dmp

Filesize
15.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads