remcos | 2baa36ebea1ad309fa1083845b0510d4ea439bd52463c67dc1376a722c2e9fbb

General

Target

CodeBlock-wallet_v1.3.1.exe
Size

99.4MB
MD5

51214f407f63fa8b44b168e7fb1af2a4
SHA1

5d253f197114361a2f80ca0d0e2fed6834c97b2b
SHA256

0afab6861707ce6ad25f50fdf52af8dc3e637ba4c0fac93443fe073274cdc742
SHA512

e891b1eeb33b0f8a80af771bb0caea27f8e1e586277ed030e5091380a3933cb81a34b8fde1eade0db993f9dd661bee7f72fd6c2f7fe5fa2590c4530250513ca7
SSDEEP

49152:4WGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbG3335:MtLutqgwh4NYxtJpkxhGx333

Score

10^/10

remcos 22077 rat

Malware Config

Extracted

Family

remcos

Botnet

22077

C2

195.54.170.36:22077

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
VB786YNr-ICKPAO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exe

pid process

3064 UniversalInstaller.exe
2580 UniversalInstaller.exe
Loads dropped DLL 5 IoCs

Processes:

CodeBlock-wallet_v1.3.1.exeUniversalInstaller.exeUniversalInstaller.execmd.exe

pid process

2372 CodeBlock-wallet_v1.3.1.exe
3064 UniversalInstaller.exe
3064 UniversalInstaller.exe
2580 UniversalInstaller.exe
2696 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

UniversalInstaller.exe

description pid process target process

PID 2580 set thread context of 2696 2580 UniversalInstaller.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3064	UniversalInstaller.exe
2580	UniversalInstaller.exe

description	pid	process	target process
PID 2580 set thread context of 2696	2580	UniversalInstaller.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

CodeBlock-wallet_v1.3.1.exeUniversalInstaller.exeUniversalInstaller.execmd.exe

pid	process
2372	CodeBlock-wallet_v1.3.1.exe
2372	CodeBlock-wallet_v1.3.1.exe
3064	UniversalInstaller.exe
2580	UniversalInstaller.exe
2580	UniversalInstaller.exe
2696	cmd.exe
2696	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

UniversalInstaller.execmd.exe

pid process

2580 UniversalInstaller.exe
2696 cmd.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

CodeBlock-wallet_v1.3.1.exe

pid process

2372 CodeBlock-wallet_v1.3.1.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exe

pid process

3064 UniversalInstaller.exe
3064 UniversalInstaller.exe
2580 UniversalInstaller.exe
2580 UniversalInstaller.exe

pid	process
2580	UniversalInstaller.exe
2696	cmd.exe

pid	process
3064	UniversalInstaller.exe
3064	UniversalInstaller.exe
2580	UniversalInstaller.exe
2580	UniversalInstaller.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

CodeBlock-wallet_v1.3.1.exeCodeBlock-wallet_v1.3.1.exeUniversalInstaller.exeUniversalInstaller.execmd.exe

description	pid	process	target process
PID 1444 wrote to memory of 2372	1444	CodeBlock-wallet_v1.3.1.exe	CodeBlock-wallet_v1.3.1.exe
PID 1444 wrote to memory of 2372	1444	CodeBlock-wallet_v1.3.1.exe	CodeBlock-wallet_v1.3.1.exe
PID 1444 wrote to memory of 2372	1444	CodeBlock-wallet_v1.3.1.exe	CodeBlock-wallet_v1.3.1.exe
PID 1444 wrote to memory of 2372	1444	CodeBlock-wallet_v1.3.1.exe	CodeBlock-wallet_v1.3.1.exe
PID 1444 wrote to memory of 2372	1444	CodeBlock-wallet_v1.3.1.exe	CodeBlock-wallet_v1.3.1.exe
PID 1444 wrote to memory of 2372	1444	CodeBlock-wallet_v1.3.1.exe	CodeBlock-wallet_v1.3.1.exe
PID 1444 wrote to memory of 2372	1444	CodeBlock-wallet_v1.3.1.exe	CodeBlock-wallet_v1.3.1.exe
PID 2372 wrote to memory of 3064	2372	CodeBlock-wallet_v1.3.1.exe	UniversalInstaller.exe
PID 2372 wrote to memory of 3064	2372	CodeBlock-wallet_v1.3.1.exe	UniversalInstaller.exe
PID 2372 wrote to memory of 3064	2372	CodeBlock-wallet_v1.3.1.exe	UniversalInstaller.exe
PID 2372 wrote to memory of 3064	2372	CodeBlock-wallet_v1.3.1.exe	UniversalInstaller.exe
PID 2372 wrote to memory of 3064	2372	CodeBlock-wallet_v1.3.1.exe	UniversalInstaller.exe
PID 2372 wrote to memory of 3064	2372	CodeBlock-wallet_v1.3.1.exe	UniversalInstaller.exe
PID 2372 wrote to memory of 3064	2372	CodeBlock-wallet_v1.3.1.exe	UniversalInstaller.exe
PID 3064 wrote to memory of 2580	3064	UniversalInstaller.exe	UniversalInstaller.exe
PID 3064 wrote to memory of 2580	3064	UniversalInstaller.exe	UniversalInstaller.exe
PID 3064 wrote to memory of 2580	3064	UniversalInstaller.exe	UniversalInstaller.exe
PID 3064 wrote to memory of 2580	3064	UniversalInstaller.exe	UniversalInstaller.exe
PID 3064 wrote to memory of 2580	3064	UniversalInstaller.exe	UniversalInstaller.exe
PID 3064 wrote to memory of 2580	3064	UniversalInstaller.exe	UniversalInstaller.exe
PID 3064 wrote to memory of 2580	3064	UniversalInstaller.exe	UniversalInstaller.exe
PID 2580 wrote to memory of 2696	2580	UniversalInstaller.exe	cmd.exe
PID 2580 wrote to memory of 2696	2580	UniversalInstaller.exe	cmd.exe
PID 2580 wrote to memory of 2696	2580	UniversalInstaller.exe	cmd.exe
PID 2580 wrote to memory of 2696	2580	UniversalInstaller.exe	cmd.exe
PID 2580 wrote to memory of 2696	2580	UniversalInstaller.exe	cmd.exe
PID 2696 wrote to memory of 2168	2696	cmd.exe	explorer.exe
PID 2696 wrote to memory of 2168	2696	cmd.exe	explorer.exe
PID 2696 wrote to memory of 2168	2696	cmd.exe	explorer.exe
PID 2696 wrote to memory of 2168	2696	cmd.exe	explorer.exe
PID 2696 wrote to memory of 2168	2696	cmd.exe	explorer.exe
PID 2696 wrote to memory of 2168	2696	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
  "C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
    "C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
      C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ae9afef0

Filesize
1.2MB

MD5
03589f8b75e953163cbb68744ecfba52

SHA1
256eace1dc57506c05cbec4a52fc108e4d5c28f8

SHA256
91ca0be2a18a0d47153f3a93986e1b3efe1a128a08fd8f6d75fe604a5d9867a4

SHA512
0984bd32153df95be1c23026dfee28d4d47ebf538b8f1f2c5cea47030446bc0af617e5a6c3538018eddaaf4ef013ca00af1d98e53e7e8ba81829e412a7741681

Download Submit
C:\Users\Admin\AppData\Roaming\UIxMarketPlugin.dll

Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Roaming\bigmouth.ai

Filesize
947KB

MD5
2006f33bd138198426dd0029bfb59d78

SHA1
b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4

SHA256
33a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f

SHA512
9fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649

Download Submit
C:\Users\Admin\AppData\Roaming\nighttime.xlsx

Filesize
59KB

MD5
6c6f6a14e9d0a4a4cccf42c556fbd674

SHA1
171078d45ebc27f5a8e448dc451d4f94947d82e5

SHA256
3b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3

SHA512
8757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e

Download Submit
C:\Users\Admin\AppData\Roaming\relay.dll

Filesize
1.5MB

MD5
26f5bc7e93d04836018674ea346fcfc7

SHA1
3b7d74663bfc45388c403d2b4e242df5ee18e8f0

SHA256
2da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163

SHA512
7e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9

Download Submit
\Users\Admin\AppData\Roaming\UniversalInstaller.exe

Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
memory/1444-3-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1444-0-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2168-100-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2168-97-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2168-106-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2168-105-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2168-104-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2168-110-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2168-103-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2168-108-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2168-96-0x0000000076F10000-0x00000000770B9000-memory.dmp

Filesize
1.7MB

Download
memory/2168-109-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2168-107-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2168-101-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2168-102-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2372-20-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2580-45-0x0000000073FC0000-0x0000000074134000-memory.dmp

Filesize
1.5MB

Download
memory/2580-44-0x0000000076F10000-0x00000000770B9000-memory.dmp

Filesize
1.7MB

Download
memory/2580-43-0x0000000073FC0000-0x0000000074134000-memory.dmp

Filesize
1.5MB

Download
memory/2696-48-0x0000000076F10000-0x00000000770B9000-memory.dmp

Filesize
1.7MB

Download
memory/2696-94-0x0000000073FC0000-0x0000000074134000-memory.dmp

Filesize
1.5MB

Download
memory/3064-27-0x0000000076F10000-0x00000000770B9000-memory.dmp

Filesize
1.7MB

Download
memory/3064-26-0x00000000740B0000-0x0000000074224000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing