remcos | ffde0dec915c775224eb553a98b35f906fbce2e56778190859913e566c84dd60

General

Target

msimg32.dll
Size

45.1MB
MD5

066cca9347ad8188670f770ddcee55f0
SHA1

a71df2cfa7af7f27f22b17cdf90788784994e4fe
SHA256

cfade56c6497caca67e247954d9b0bbac8018b316d420b22a39ab0eb2fdd05d6
SHA512

71531dfe50737728ecf1345830f0fdc1001408ff7b28010526655c583f717655a0c3224930b46dcdb2d26b1a1376c821098a59bfc1e951e94ba2a8cec1492df1
SSDEEP

786432:YUP7GCGO7t0Srkx/tC0SzIdSwh/WxbpNHQD3trzRpn:YUP7GCG6iSrkx1hSzYsHQD3t/RN

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

pattreon.duckdns.org:7035

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7D4Q3L
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\ChromeData.dll,EntryPoint"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

regsvr32.exe

pid process

2032 regsvr32.exe

pid	process
2032	regsvr32.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

regsvr32.exeregsvr32.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	regsvr32.exe
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	regsvr32.exe
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	regsvr32.exe
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	regsvr32.exe
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	regsvr32.exe
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	regsvr32.exe
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 2688	2032	regsvr32.exe	cmd.exe
PID 2032 wrote to memory of 2688	2032	regsvr32.exe	cmd.exe
PID 2032 wrote to memory of 2688	2032	regsvr32.exe	cmd.exe
PID 2032 wrote to memory of 2688	2032	regsvr32.exe	cmd.exe
PID 2688 wrote to memory of 2028	2688	cmd.exe	reg.exe
PID 2688 wrote to memory of 2028	2688	cmd.exe	reg.exe
PID 2688 wrote to memory of 2028	2688	cmd.exe	reg.exe
PID 2688 wrote to memory of 2028	2688	cmd.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\msimg32.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\msimg32.dll
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
3⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f
4⤵
- Adds Run key to start application
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2032-0-0x0000000010000000-0x0000000012DD5000-memory.dmp

Filesize
45.8MB

Download
memory/2032-18-0x0000000012D7F000-0x0000000012DA8000-memory.dmp

Filesize
164KB

Download
memory/2032-1-0x00000000102E6000-0x0000000010300000-memory.dmp

Filesize
104KB

Download
memory/2032-15-0x0000000010000000-0x0000000012DD5000-memory.dmp

Filesize
45.8MB

Download
memory/2032-10-0x0000000010000000-0x0000000012DD5000-memory.dmp

Filesize
45.8MB

Download
memory/2992-17-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-19-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-12-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-11-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-2-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-16-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-6-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2992-8-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2992-14-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-20-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-21-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-22-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-23-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-24-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-25-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-26-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-27-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-28-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-29-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads