remcos | 38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe
Size

959KB
MD5

3af10feddd3a827a7c7725fab1b97745
SHA1

c34daf7dea4deb87305cb2a7d3147da38f77091b
SHA256

38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f
SHA512

c616ae06060fbfff228f294fb690fbb20af2f1230d592e1a3a020b084034d637cb7393c823d05e10c2eacabd06ab3ca4746953c4a77649693894b0d522396611
SSDEEP

24576:8HmHBVbcOmTnszrGeTMFTgm227Zaz5r2pXFWyEL:2QI9yrGIMFTI2JLq

Score

10^/10

remcos zzzzzzzzzzzzzzzzzzzzzzzznuevamente discovery rat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

zzzzzzzzzzzzZZZZZZZZZZZZNUEVAMENTE

dominoduck2095.duckdns.org:9597

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Chrome.exe
copy_folder
Chrome
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
system
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NUTDL6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 6 IoCs

flow	pid	Process
3	2512	cmd.exe
6	2512	cmd.exe
7	2512	cmd.exe
9	2512	cmd.exe
10	2512	cmd.exe
11	2512	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2752	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\esentutl.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2752	rundll32.exe
2752	rundll32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2752	rundll32.exe
2752	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2512	cmd.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2752	2200	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe	30
PID 2200 wrote to memory of 2752	2200	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe	30
PID 2200 wrote to memory of 2752	2200	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe	30
PID 2200 wrote to memory of 2752	2200	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe	30
PID 2200 wrote to memory of 2752	2200	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe	30
PID 2200 wrote to memory of 2752	2200	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe	30
PID 2200 wrote to memory of 2752	2200	JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe	30
PID 2752 wrote to memory of 2792	2752	rundll32.exe	31
PID 2752 wrote to memory of 2792	2752	rundll32.exe	31
PID 2752 wrote to memory of 2792	2752	rundll32.exe	31
PID 2752 wrote to memory of 2792	2752	rundll32.exe	31
PID 2752 wrote to memory of 2792	2752	rundll32.exe	31
PID 2752 wrote to memory of 2792	2752	rundll32.exe	31
PID 2752 wrote to memory of 2792	2752	rundll32.exe	31
PID 2752 wrote to memory of 2792	2752	rundll32.exe	31
PID 2752 wrote to memory of 2792	2752	rundll32.exe	31
PID 2752 wrote to memory of 2792	2752	rundll32.exe	31
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32
PID 2752 wrote to memory of 2512	2752	rundll32.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe GuestRummy,Michelle
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GuestRummy.DLL

Filesize
19KB

MD5
fc2b4128dbe4d1885b5f3297b8d77e3d

SHA1
239043c06a87fd038f242a240d64996acd7de8b9

SHA256
95965a6f6a610d3cd68ab6f2eabdb2fb23c29db258761ea8b547c754fe11ce4e

SHA512
a477136f2ebf89257197d86cd35b050e7fd0ad8cce97f3d532ac9749ddb9e4dfc9bce365543ab812b80a182f10f631bddb322bb9a89e745cb75a7116e2061f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Widget

Filesize
858KB

MD5
d939d6020b0253004cf75fe77ec938be

SHA1
4e01426b8d1e95d95de93ffbce6d17ad9f68a3d5

SHA256
6a245cf81218561625e171252d8f66d712aa9c7f3181540a0d2eb7d50d1c2b86

SHA512
c7ad2cca81c67804e46ebfda9170f3a3a63e1487b4143fbdb1ea56b439f7b809ab6b82bb4cd3ba16152326cdd6445f0254f055dfbfe5f6d55c9bb781b931ab40

Download Submit
C:\Users\Admin\AppData\Roaming\system\logs.dat

Filesize
74B

MD5
efad3e672bd64f471f7c643c3c1374a3

SHA1
6c81277e486caa2655d146cf7f45daf5e77e69b4

SHA256
84eb9bf38942d6fde885a1d13342ccee616d7d91d09fcea2541df555d84449e4

SHA512
bba23c7115ed4fe8e2052ad9499a1531021bea02aa01df88ef34faa07da60f7f7f8a10bedcd24349de675b2ffd5ce38666000172b1c6db4cb55cf42b5c6770dd

Download Submit
memory/2512-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2512-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2512-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2512-25-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/2512-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2512-35-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2752-22-0x00000000760F0000-0x0000000076125000-memory.dmp

Filesize
212KB

Download
memory/2752-26-0x0000000074140000-0x0000000074198000-memory.dmp

Filesize
352KB

Download
memory/2752-21-0x0000000074140000-0x0000000074198000-memory.dmp

Filesize
352KB

Download
memory/2752-20-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download