remcos | 826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36

General

Target

826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
Size

7.0MB
MD5

f36c7ece4729f87499cbf12bf35637e5
SHA1

a3b662d9308055d4bd6c5255d457c6f5a07a4a27
SHA256

826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36
SHA512

07e6369ef7434290c02ba9320edc82076eb3bd42a59a2b37554c94dc43adb949e13fbe809c51aed047427ba93c00159678d03187944e10d49e124545bfd63344

Score

10^/10

remcos rat rezer0

Malware Config

Extracted

Family

remcos

C2

CEDSXoissLv2NiM.club:5762

PgqduOYXVZeNNam.xyz:5762

USd7O88wEMlUtX5.xyz:5762

pMfiryhhkiN98Px.xyz:5762

Se2Qwz60L2OxZNM.xyz:5762

GWtY0fiG58DCq6F.xyz:5762

maui16azsncpo97.info:5762

mj99puoba6c3gun.info:5762

tu90to3b4q4uqze.info:5762

cwt1u0vv8ic357ov.info:5762

agaoajz1hrvevre.info:5762

poykoqnl7jkj632.info:5762

cbiq1neygyp1wno.info:5762

BCBNcQ393Z3HPLQ.club:5762

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/4752-8-0x00000000073E0000-0x0000000007408000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe

description	pid	process	target process
PID 4752 set thread context of 648	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4348 schtasks.exe

pid	process
4348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe

pid	process
4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe

description pid process

Token: SeDebugPrivilege 4752 826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe

description	pid	process
Token: SeDebugPrivilege	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe

C:\Users\Admin\AppData\Local\Temp\826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
"C:\Users\Admin\AppData\Local\Temp\826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KSridAySHa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6F2.tmp"
2⤵
- Creates scheduled task(s)
PID:4348

C:\Users\Admin\AppData\Local\Temp\826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
"{path}"
2⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
"{path}"
2⤵
PID:648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB6F2.tmp
MD5
c9e13621eeedbcff0d9a784dd75a51ba

SHA1
0197c0e3c6ce15bb7cdc06c072095b56509cbc95

SHA256
9138e8b23b6d0aec598f5408ff9a031ddf3ee9f951227a1925489d3da6c27699

SHA512
d75dafdb3a31b02b4d0ec54c6f9a63285155ee07a50aab1a392fceee6d69956b7d37013191e32d5fd43da374dcaa22170fcff7142f7a91c605ce3d9a7d793573

Download Submit
memory/648-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/648-12-0x0000000000413A84-mapping.dmp

Download
memory/648-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4348-9-0x0000000000000000-mapping.dmp

Download
memory/4752-4-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/4752-7-0x0000000005530000-0x0000000005533000-memory.dmp

Filesize
12KB

Download
memory/4752-8-0x00000000073E0000-0x0000000007408000-memory.dmp

Filesize
160KB

Download
memory/4752-6-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/4752-5-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/4752-0-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/4752-3-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/4752-1-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 4752 wrote to memory of 4348	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	schtasks.exe
PID 4752 wrote to memory of 4348	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	schtasks.exe
PID 4752 wrote to memory of 4348	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	schtasks.exe
PID 4752 wrote to memory of 652	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 652	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 652	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 648	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 648	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 648	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 648	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 648	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 648	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 648	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 648	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 648	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe
PID 4752 wrote to memory of 648	4752	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe	826c402e3bccdb488a218f6535dde25aef5f0d219cf5ddf22399644174771d36.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads