remcos | 55f131be9f75250cc1291aafe4bc1593d460bcc71c62da5437aa14c894cf22f3

General

Target

$PLUGINSDIR/gb7ir8nsaimu39b.dll
Size

149KB
MD5

0c44ee25d7c510783d118d3f76d88b3b
SHA1

ff537d185513d1a2daf91ca5679c79f3c8346e9a
SHA256

0b54c2abb6bee336adc1866f128591a6e0d5fa0f90333f6a6b57205b41196e20
SHA512

a13490eb75a842e15ae33cb167209e76dbfb7b1fe96530ca3bd41ff2a4318717b53a5e44bb1f0f2523f38888e142061019082ffb11bc633953a773b25e2fc587
SSDEEP

3072:zakbhW2I5O+aiKzEV6o7dkH6ChVLOSV49p6vfESJvAEVXUOQn3r+e2:zjbM2SwbUJ6HrLOHovfFNAE23r+e2

Score

10^/10

remcos grace _ marcy discovery rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

GRACE _ MARCY

C2

103.153.77.83:4348

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
mozila.exe
copy_folder
mozila
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
mozila
keylog_path
%AppData%
mouse_option
false
mutex
mozila-VR8Q9A
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
mozila
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 7 IoCs

flow	pid	Process
2	3020	rundll32.exe
5	3020	rundll32.exe
6	3020	rundll32.exe
7	3020	rundll32.exe
8	3020	rundll32.exe
9	3020	rundll32.exe
10	3020	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 3020	2060	rundll32.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1072	2060	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2060	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3020	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2060	2284	rundll32.exe	28
PID 2284 wrote to memory of 2060	2284	rundll32.exe	28
PID 2284 wrote to memory of 2060	2284	rundll32.exe	28
PID 2284 wrote to memory of 2060	2284	rundll32.exe	28
PID 2284 wrote to memory of 2060	2284	rundll32.exe	28
PID 2284 wrote to memory of 2060	2284	rundll32.exe	28
PID 2284 wrote to memory of 2060	2284	rundll32.exe	28
PID 2060 wrote to memory of 3020	2060	rundll32.exe	29
PID 2060 wrote to memory of 3020	2060	rundll32.exe	29
PID 2060 wrote to memory of 3020	2060	rundll32.exe	29
PID 2060 wrote to memory of 3020	2060	rundll32.exe	29
PID 2060 wrote to memory of 3020	2060	rundll32.exe	29
PID 2060 wrote to memory of 3020	2060	rundll32.exe	29
PID 2060 wrote to memory of 3020	2060	rundll32.exe	29
PID 2060 wrote to memory of 3020	2060	rundll32.exe	29
PID 2060 wrote to memory of 1072	2060	rundll32.exe	30
PID 2060 wrote to memory of 1072	2060	rundll32.exe	30
PID 2060 wrote to memory of 1072	2060	rundll32.exe	30
PID 2060 wrote to memory of 1072	2060	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gb7ir8nsaimu39b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gb7ir8nsaimu39b.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gb7ir8nsaimu39b.dll,#1
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 312
    3⤵
    - Program crash
    PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mozila\logs.dat

Filesize
90B

MD5
7731765a845bfb7324ca2a92061213b8

SHA1
401f6d6ed76eaafef1d42db809db991a1de21374

SHA256
e4e3469d85d9453808927bcc408b2d1f7f655c53e8a574beb62989615bf731c0

SHA512
d7f2cd634d161dedd4d0d46eac483f9ef70e54420d4a625981c5b8c1660a727bc0d8685e2ee9dd1c684589a269ab1734341df6c8afa76298a61259b842ad2510

Download Submit
memory/2060-1-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/2060-0-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/2060-11-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/3020-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3020-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3020-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3020-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3020-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing