remcos | 89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80

General

Target

89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
Size

1.2MB
MD5

db806fa70eeb4e0d42f85f3bfaf45d8e
SHA1

22e9ff02e668be7f0b01a33ce3a90ac257d7927d
SHA256

89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80
SHA512

9eedda030efabccd9a24838c68e23268cb0d9ea1d444e09155ad257ae05c9fb20f5d3f0f63b7bacb0ed42979caf62d07ad710328c304186001b0805dc8aeb82b

Score

10^/10

rat remcos

Malware Config

Extracted

Family

remcos

C2

jswork.duckdns.org:6767

jswork.ddns.net:6767

Signatures

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

pid	process
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

Drops startup file 1 IoCs

Processes:

89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iexpress.url	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

pid	process
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

pid	process
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

description	pid	process	target process
PID 272 wrote to memory of 1800	272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
PID 272 wrote to memory of 1800	272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
PID 272 wrote to memory of 1800	272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
PID 272 wrote to memory of 1800	272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
PID 272 wrote to memory of 1800	272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
PID 272 wrote to memory of 1800	272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

description	pid	process	target process
PID 272 set thread context of 1800	272	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe	89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe

C:\Users\Admin\AppData\Local\Temp\89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
"C:\Users\Admin\AppData\Local\Temp\89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:272

C:\Users\Admin\AppData\Local\Temp\89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe
"C:\Users\Admin\AppData\Local\Temp\89b2357e89f357fba520dc35157a8285bf67bb5bf50e48510b9331287d8a2e80.exe"
2⤵
PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-0-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1800-1-0x0000000000093B74-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads