remcos | 77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2

General

Target

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
Size

337KB
MD5

54be0c733c2f2ec0d17da28bd5f5d229
SHA1

2018ec1b9b4040d304d76ae8e0cb66edc0c5ce50
SHA256

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2
SHA512

f259c6f49c680afa464b0b7c341ca90fc33b28fcb219cf8d75eb36f9592975973751bef476d7332e6d4c4473cd60779f5c5b62f41db83816079a2e5559578721

Score

10^/10

remcos coreentity persistence rat rezer0

Malware Config

Extracted

Family

remcos

C2

servr.killifabuse1.xyz:8643

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1904-3-0x00000000004D0000-0x00000000004D2000-memory.dmp	coreentity

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1904-4-0x0000000004540000-0x0000000004567000-memory.dmp	rezer0

Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

412 remcos.exe
436 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1912 cmd.exe

pid	process
412	remcos.exe
436	remcos.exe

pid	process
1912	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exeremcos.exeremcos.exe

description	pid	process	target process
PID 1904 set thread context of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 412 set thread context of 436	412	remcos.exe	remcos.exe
PID 436 set thread context of 844	436	remcos.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exeremcos.exe

pid process

1904 77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
412 remcos.exe

pid	process
1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
412	remcos.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exeremcos.exe

description	pid	process
Token: SeDebugPrivilege	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
Token: SeDebugPrivilege	412	remcos.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

436 remcos.exe

pid	process
436	remcos.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exeWScript.execmd.exeremcos.exeremcos.exe

description	pid	process	target process
PID 1904 wrote to memory of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 1904 wrote to memory of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 1904 wrote to memory of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 1904 wrote to memory of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 1904 wrote to memory of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 1904 wrote to memory of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 1904 wrote to memory of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 1904 wrote to memory of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 1904 wrote to memory of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 1904 wrote to memory of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 1904 wrote to memory of 1172	1904	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 1172 wrote to memory of 1692	1172	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	WScript.exe
PID 1172 wrote to memory of 1692	1172	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	WScript.exe
PID 1172 wrote to memory of 1692	1172	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	WScript.exe
PID 1172 wrote to memory of 1692	1172	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	WScript.exe
PID 1692 wrote to memory of 1912	1692	WScript.exe	cmd.exe
PID 1692 wrote to memory of 1912	1692	WScript.exe	cmd.exe
PID 1692 wrote to memory of 1912	1692	WScript.exe	cmd.exe
PID 1692 wrote to memory of 1912	1692	WScript.exe	cmd.exe
PID 1912 wrote to memory of 412	1912	cmd.exe	remcos.exe
PID 1912 wrote to memory of 412	1912	cmd.exe	remcos.exe
PID 1912 wrote to memory of 412	1912	cmd.exe	remcos.exe
PID 1912 wrote to memory of 412	1912	cmd.exe	remcos.exe
PID 412 wrote to memory of 436	412	remcos.exe	remcos.exe
PID 412 wrote to memory of 436	412	remcos.exe	remcos.exe
PID 412 wrote to memory of 436	412	remcos.exe	remcos.exe
PID 412 wrote to memory of 436	412	remcos.exe	remcos.exe
PID 412 wrote to memory of 436	412	remcos.exe	remcos.exe
PID 412 wrote to memory of 436	412	remcos.exe	remcos.exe
PID 412 wrote to memory of 436	412	remcos.exe	remcos.exe
PID 412 wrote to memory of 436	412	remcos.exe	remcos.exe
PID 412 wrote to memory of 436	412	remcos.exe	remcos.exe
PID 412 wrote to memory of 436	412	remcos.exe	remcos.exe
PID 412 wrote to memory of 436	412	remcos.exe	remcos.exe
PID 436 wrote to memory of 844	436	remcos.exe	svchost.exe
PID 436 wrote to memory of 844	436	remcos.exe	svchost.exe
PID 436 wrote to memory of 844	436	remcos.exe	svchost.exe
PID 436 wrote to memory of 844	436	remcos.exe	svchost.exe
PID 436 wrote to memory of 844	436	remcos.exe	svchost.exe
PID 436 wrote to memory of 844	436	remcos.exe	svchost.exe
PID 436 wrote to memory of 844	436	remcos.exe	svchost.exe
PID 436 wrote to memory of 844	436	remcos.exe	svchost.exe
PID 436 wrote to memory of 844	436	remcos.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
"C:\Users\Admin\AppData\Local\Temp\77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
54be0c733c2f2ec0d17da28bd5f5d229

SHA1
2018ec1b9b4040d304d76ae8e0cb66edc0c5ce50

SHA256
77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2

SHA512
f259c6f49c680afa464b0b7c341ca90fc33b28fcb219cf8d75eb36f9592975973751bef476d7332e6d4c4473cd60779f5c5b62f41db83816079a2e5559578721

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
54be0c733c2f2ec0d17da28bd5f5d229

SHA1
2018ec1b9b4040d304d76ae8e0cb66edc0c5ce50

SHA256
77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2

SHA512
f259c6f49c680afa464b0b7c341ca90fc33b28fcb219cf8d75eb36f9592975973751bef476d7332e6d4c4473cd60779f5c5b62f41db83816079a2e5559578721

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
54be0c733c2f2ec0d17da28bd5f5d229

SHA1
2018ec1b9b4040d304d76ae8e0cb66edc0c5ce50

SHA256
77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2

SHA512
f259c6f49c680afa464b0b7c341ca90fc33b28fcb219cf8d75eb36f9592975973751bef476d7332e6d4c4473cd60779f5c5b62f41db83816079a2e5559578721

Download Submit
\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
54be0c733c2f2ec0d17da28bd5f5d229

SHA1
2018ec1b9b4040d304d76ae8e0cb66edc0c5ce50

SHA256
77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2

SHA512
f259c6f49c680afa464b0b7c341ca90fc33b28fcb219cf8d75eb36f9592975973751bef476d7332e6d4c4473cd60779f5c5b62f41db83816079a2e5559578721

Download Submit
memory/412-17-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/412-16-0x0000000072E30000-0x000000007351E000-memory.dmp

Filesize
6.9MB

Download
memory/412-14-0x0000000000000000-mapping.dmp

Download
memory/436-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/436-22-0x0000000000413A84-mapping.dmp

Download
memory/844-27-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/844-26-0x000000000044D11E-mapping.dmp

Download
memory/844-28-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/844-25-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1172-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1172-6-0x0000000000413A84-mapping.dmp

Download
memory/1172-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1692-11-0x0000000002680000-0x0000000002684000-memory.dmp

Filesize
16KB

Download
memory/1692-8-0x0000000000000000-mapping.dmp

Download
memory/1904-3-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download
memory/1904-1-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1904-0-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/1904-4-0x0000000004540000-0x0000000004567000-memory.dmp

Filesize
156KB

Download
memory/1912-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads