remcos | ba8db0a36c729d98dc09fbd9c7ea62e1b62f5a435318af68bdb846063a325f21

General

Target

g2m.dll
Size

15.1MB
MD5

f14c14a6d5b1613242f061030fdb9163
SHA1

2a0d0c7ee40fdd3fe00a76b6d89c0e951deff8e2
SHA256

ba23ee91a54d3da0e2142a90def9ea6ead953621fdbb2c9a568ab68247993b90
SHA512

7993bd5510278adc273b4de6f62dc0eec06f12b294e62a9cf60319b2ae0bd1111a2aefb8af0876228d4c9e0a5d6e78fda5c494c6583ec92b6ba2b31be69dc4c8
SSDEEP

196608:W0ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVs4zti:WzvfaEog+4rdbUTFVe

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

clepdhunt.duckdns.org:4047

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EN0WTA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

28 3040 WScript.exe
30 3040 WScript.exe
32 3040 WScript.exe

flow	pid	process
28	3040	WScript.exe
30	3040	WScript.exe
32	3040	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*Chrome = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\VIVA_01.dll,EntryPoint"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 5084 set thread context of 2160 5084 regsvr32.exe regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

regsvr32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings regsvr32.exe

description	pid	process	target process
PID 5084 set thread context of 2160	5084	regsvr32.exe	regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.execmd.exeregsvr32.exe

description	pid	process	target process
PID 2192 wrote to memory of 5084	2192	regsvr32.exe	regsvr32.exe
PID 2192 wrote to memory of 5084	2192	regsvr32.exe	regsvr32.exe
PID 2192 wrote to memory of 5084	2192	regsvr32.exe	regsvr32.exe
PID 5084 wrote to memory of 980	5084	regsvr32.exe	cmd.exe
PID 5084 wrote to memory of 980	5084	regsvr32.exe	cmd.exe
PID 5084 wrote to memory of 980	5084	regsvr32.exe	cmd.exe
PID 5084 wrote to memory of 2160	5084	regsvr32.exe	regsvr32.exe
PID 5084 wrote to memory of 2160	5084	regsvr32.exe	regsvr32.exe
PID 5084 wrote to memory of 2160	5084	regsvr32.exe	regsvr32.exe
PID 5084 wrote to memory of 2160	5084	regsvr32.exe	regsvr32.exe
PID 5084 wrote to memory of 2160	5084	regsvr32.exe	regsvr32.exe
PID 980 wrote to memory of 1496	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1496	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1496	980	cmd.exe	reg.exe
PID 2160 wrote to memory of 3040	2160	regsvr32.exe	WScript.exe
PID 2160 wrote to memory of 3040	2160	regsvr32.exe	WScript.exe
PID 2160 wrote to memory of 3040	2160	regsvr32.exe	WScript.exe
PID 2160 wrote to memory of 3704	2160	regsvr32.exe	WScript.exe
PID 2160 wrote to memory of 3704	2160	regsvr32.exe	WScript.exe
PID 2160 wrote to memory of 3704	2160	regsvr32.exe	WScript.exe
PID 2160 wrote to memory of 1056	2160	regsvr32.exe	WScript.exe
PID 2160 wrote to memory of 1056	2160	regsvr32.exe	WScript.exe
PID 2160 wrote to memory of 1056	2160	regsvr32.exe	WScript.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\g2m.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\g2m.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f
4⤵
- Adds Run key to start application
PID:1496

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Holding130rd.vbs"
4⤵
- Blocklisted process makes network request
PID:3040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Holding130rd.vbs"
4⤵
PID:3704

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"
4⤵
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Holding130rd.vbs
Filesize
5.8MB

MD5
23d7b25f8233971afe7801edb6615eaa

SHA1
dd3e2f1fecc1d18af047045dcba2a73359b7019f

SHA256
ecac17cda633793bbe91741f4e8ec371000d82ba9cfeab0ee79c9a84d9a0a62c

SHA512
090e4e3bb0cfdbda4f40c3ab76d3d11cb95c26e2069a4a05628875eb794f1b48904d353865c51b68c93b9c57d497abcb2a0f837e6611d3fc955511685cc0f3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Memory.vbs
Filesize
11.2MB

MD5
e95bd9211d202fa0d5cfd86d967e3f28

SHA1
9d4bc96f4239f54868338bd1af65e8ac767bca6e

SHA256
d8cf065a3b13af731193c35c843a6bd272184784e486620d2ba904403ff577cd

SHA512
b906af1a5a946e573f17c9d2032fdc98e14c545a783624a6e3749f671629f063080a0e2507d5569ae3cda8b8db9b48fc79309ebcbd07e7aaf7d052704ac88dd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FPBMA.vbs
Filesize
276B

MD5
08573053b297406719cdb275f62815c8

SHA1
0d82ae88fc747cfacd3a7fd80cb52d9e7f0eaa2f

SHA256
b89ba728b322bff609cc24052896f31c11091a82296e0351769543437b0788bb

SHA512
6feb1b5a0fee7f3e5d1fb2c76a8a4565e6d6f5441e2e156fbd88ef5324c823a95b2e767f8e2948e899793ba3edcc438f9afdc03fdca8dddb3d7a6537f621505d

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\UNAQP.cmd
Filesize
75B

MD5
190bb5d0398a86cffba0566aad524749

SHA1
cfb0913a6a8ca4404fc94f0875a3e1b7ae222d60

SHA256
bf6b4681cb1ea2e7d4e4571a7f80c3a50c8788618cf6437616aefa93b491423b

SHA512
d4be5e0fff7f05ad1730908181e8e1889772a03ae72d5c691bdfa4bab584c1e3dd62124b59222c110d74f3884d73bfdeaf316618a3be05a6ffde4fc3ccefbdaf

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\UUTGX.ps1
Filesize
1.1MB

MD5
a77c5e1a90d97c8c16ff8748fc668b3c

SHA1
611679d8a5e1e5bcaf5cdf3148947f0aa0650af8

SHA256
9dadb75e08649354b0e891ed8c3a0fb0cc515dbcc79c38f8da0abacd016cbae1

SHA512
90669e3a22af8603d754d6bd52c9065e190126e98d41f52a4d729a29afe09e2e4559256a87f3d3715c55087e4c2e61e50ad3f2f314624ff64b83072aa1582bab

Download Submit
C:\Users\Admin\Start Menu\Programs\Startup\WindowsServices-QCEFU.lnk
Filesize
1KB

MD5
d6883ebc9de1f3cadb08873eff6b2d4e

SHA1
1a471c15b691bd86d038bb70ac02c376d3a43d48

SHA256
eb3989f51e36a12d7a491d8170935da5ccd8941291d546bd1358350b0ace0c72

SHA512
17cd81667b4bc247c2e36e1fd8db168de853c77e9f1a389707bf5001defcc24272e9c0dfd5e3381b809119ff763650fe610840d60b9ea08d98ac88bf6aebb25a

Download Submit
memory/2160-33-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-23-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-9-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-10-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-11-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-12-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-13-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-14-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-4-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-8-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-28-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-6-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-3-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-34-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/2160-35-0x0000000000C50000-0x0000000000CD2000-memory.dmp

Filesize
520KB

Download
memory/5084-0-0x0000000010000000-0x0000000010F92000-memory.dmp

Filesize
15.6MB

Download
memory/5084-5-0x0000000010000000-0x0000000010F92000-memory.dmp

Filesize
15.6MB

Download
memory/5084-2-0x0000000010000000-0x0000000010F92000-memory.dmp

Filesize
15.6MB

Download
memory/5084-1-0x0000000010000000-0x0000000010F92000-memory.dmp

Filesize
15.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads