remcos | 2baa36ebea1ad309fa1083845b0510d4ea439bd52463c67dc1376a722c2e9fbb

General

Target

CodeBlock-wallet_v1.3.1.exe
Size

99.4MB
MD5

51214f407f63fa8b44b168e7fb1af2a4
SHA1

5d253f197114361a2f80ca0d0e2fed6834c97b2b
SHA256

0afab6861707ce6ad25f50fdf52af8dc3e637ba4c0fac93443fe073274cdc742
SHA512

e891b1eeb33b0f8a80af771bb0caea27f8e1e586277ed030e5091380a3933cb81a34b8fde1eade0db993f9dd661bee7f72fd6c2f7fe5fa2590c4530250513ca7
SSDEEP

49152:4WGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbG3335:MtLutqgwh4NYxtJpkxhGx333

Score

10^/10

remcos 22077 rat

Malware Config

Extracted

Family

remcos

Botnet

22077

C2

195.54.170.36:22077

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
VB786YNr-ICKPAO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CodeBlock-wallet_v1.3.1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	CodeBlock-wallet_v1.3.1.exe

Executes dropped EXE 2 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exe

pid process

3736 UniversalInstaller.exe
1568 UniversalInstaller.exe
Loads dropped DLL 2 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exe

pid process

3736 UniversalInstaller.exe
1568 UniversalInstaller.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

UniversalInstaller.exe

description pid process target process

PID 1568 set thread context of 4468 1568 UniversalInstaller.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3736	UniversalInstaller.exe
1568	UniversalInstaller.exe

pid	process
3736	UniversalInstaller.exe
1568	UniversalInstaller.exe

description	pid	process	target process
PID 1568 set thread context of 4468	1568	UniversalInstaller.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

CodeBlock-wallet_v1.3.1.exeUniversalInstaller.exeUniversalInstaller.execmd.exe

pid	process
3948	CodeBlock-wallet_v1.3.1.exe
3948	CodeBlock-wallet_v1.3.1.exe
3736	UniversalInstaller.exe
1568	UniversalInstaller.exe
1568	UniversalInstaller.exe
4468	cmd.exe
4468	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

UniversalInstaller.execmd.exe

pid process

1568 UniversalInstaller.exe
4468 cmd.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

CodeBlock-wallet_v1.3.1.exe

pid process

3948 CodeBlock-wallet_v1.3.1.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exe

pid process

3736 UniversalInstaller.exe
3736 UniversalInstaller.exe
1568 UniversalInstaller.exe
1568 UniversalInstaller.exe

pid	process
1568	UniversalInstaller.exe
4468	cmd.exe

pid	process
3736	UniversalInstaller.exe
3736	UniversalInstaller.exe
1568	UniversalInstaller.exe
1568	UniversalInstaller.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

CodeBlock-wallet_v1.3.1.exeCodeBlock-wallet_v1.3.1.exeUniversalInstaller.exeUniversalInstaller.execmd.exe

description	pid	process	target process
PID 452 wrote to memory of 3948	452	CodeBlock-wallet_v1.3.1.exe	CodeBlock-wallet_v1.3.1.exe
PID 452 wrote to memory of 3948	452	CodeBlock-wallet_v1.3.1.exe	CodeBlock-wallet_v1.3.1.exe
PID 452 wrote to memory of 3948	452	CodeBlock-wallet_v1.3.1.exe	CodeBlock-wallet_v1.3.1.exe
PID 3948 wrote to memory of 3736	3948	CodeBlock-wallet_v1.3.1.exe	UniversalInstaller.exe
PID 3948 wrote to memory of 3736	3948	CodeBlock-wallet_v1.3.1.exe	UniversalInstaller.exe
PID 3948 wrote to memory of 3736	3948	CodeBlock-wallet_v1.3.1.exe	UniversalInstaller.exe
PID 3736 wrote to memory of 1568	3736	UniversalInstaller.exe	UniversalInstaller.exe
PID 3736 wrote to memory of 1568	3736	UniversalInstaller.exe	UniversalInstaller.exe
PID 3736 wrote to memory of 1568	3736	UniversalInstaller.exe	UniversalInstaller.exe
PID 1568 wrote to memory of 4468	1568	UniversalInstaller.exe	cmd.exe
PID 1568 wrote to memory of 4468	1568	UniversalInstaller.exe	cmd.exe
PID 1568 wrote to memory of 4468	1568	UniversalInstaller.exe	cmd.exe
PID 1568 wrote to memory of 4468	1568	UniversalInstaller.exe	cmd.exe
PID 4468 wrote to memory of 964	4468	cmd.exe	explorer.exe
PID 4468 wrote to memory of 964	4468	cmd.exe	explorer.exe
PID 4468 wrote to memory of 964	4468	cmd.exe	explorer.exe
PID 4468 wrote to memory of 964	4468	cmd.exe	explorer.exe
PID 4468 wrote to memory of 964	4468	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
  "C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
    "C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
      C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4468
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        
        PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ad8e0611

Filesize
1.2MB

MD5
316a23c9db64cdf058deb04d5cb6fe7a

SHA1
f973c3256ec85a05a4118cb7363e5fb51d6f1429

SHA256
125800a75afd70bee0202e147ebbf2843dbf4fe7ab6bda1227ecd5ad03d249c7

SHA512
e889ca550646ba91847d587ef0a26b316646203d87773faac1187de9f90fb18260da6cf641ade243fa88a76aba72857c14eb78b593e4576f968e4f5ba53450eb

Download Submit
C:\Users\Admin\AppData\Roaming\UIxMarketPlugin.dll

Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe

Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Roaming\bigmouth.ai

Filesize
947KB

MD5
2006f33bd138198426dd0029bfb59d78

SHA1
b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4

SHA256
33a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f

SHA512
9fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649

Download Submit
C:\Users\Admin\AppData\Roaming\nighttime.xlsx

Filesize
59KB

MD5
6c6f6a14e9d0a4a4cccf42c556fbd674

SHA1
171078d45ebc27f5a8e448dc451d4f94947d82e5

SHA256
3b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3

SHA512
8757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e

Download Submit
C:\Users\Admin\AppData\Roaming\relay.dll

Filesize
1.5MB

MD5
26f5bc7e93d04836018674ea346fcfc7

SHA1
3b7d74663bfc45388c403d2b4e242df5ee18e8f0

SHA256
2da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163

SHA512
7e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9

Download Submit
memory/452-3-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/452-0-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/964-53-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/964-55-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/964-63-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/964-59-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/964-58-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/964-57-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/964-56-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/964-62-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/964-61-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/964-49-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp

Filesize
2.0MB

Download
memory/964-50-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/964-60-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/964-54-0x0000000000C90000-0x0000000000D13000-memory.dmp

Filesize
524KB

Download
memory/1568-42-0x0000000074590000-0x000000007470B000-memory.dmp

Filesize
1.5MB

Download
memory/1568-41-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1568-40-0x0000000074590000-0x000000007470B000-memory.dmp

Filesize
1.5MB

Download
memory/3736-26-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3736-25-0x0000000074600000-0x000000007477B000-memory.dmp

Filesize
1.5MB

Download
memory/3948-5-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/3948-20-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4468-47-0x0000000074590000-0x000000007470B000-memory.dmp

Filesize
1.5MB

Download
memory/4468-45-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads