remcos | 1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e

General

Target

1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe
Size

12.3MB
MD5

bd868158318bdb48e6a445fbe49a3cc0
SHA1

f8d4e93ea520d579264922b5814bf7e110862750
SHA256

1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e
SHA512

ad2fae35737405ae59aa8d283d131ad0db9022f174bf1f1160f619c0d56224fefe736015b1c82b590e41e014b281f3c818753bee593593261f0c48e28cb0ab17

Score

10^/10

remcos rat rezer0

Malware Config

Extracted

Family

remcos

C2

CEDSXoissLv2NiM.club:5762

PgqduOYXVZeNNam.xyz:5762

USd7O88wEMlUtX5.xyz:5762

pMfiryhhkiN98Px.xyz:5762

Se2Qwz60L2OxZNM.xyz:5762

GWtY0fiG58DCq6F.xyz:5762

maui16azsncpo97.info:5762

mj99puoba6c3gun.info:5762

tu90to3b4q4uqze.info:5762

cwt1u0vv8ic357ov.info:5762

agaoajz1hrvevre.info:5762

poykoqnl7jkj632.info:5762

cbiq1neygyp1wno.info:5762

BCBNcQ393Z3HPLQ.club:5762

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1732-4-0x00000000006C0000-0x00000000006E8000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe

description	pid	process	target process
PID 1732 set thread context of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1236 schtasks.exe

pid	process
1236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe

pid	process
1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe
1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe

description pid process

Token: SeDebugPrivilege 1732 1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe

description	pid	process
Token: SeDebugPrivilege	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe

description	pid	process	target process
PID 1732 wrote to memory of 1236	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	schtasks.exe
PID 1732 wrote to memory of 1236	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	schtasks.exe
PID 1732 wrote to memory of 1236	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	schtasks.exe
PID 1732 wrote to memory of 1236	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	schtasks.exe
PID 1732 wrote to memory of 1136	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1136	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1136	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1136	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1136	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1136	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1136	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe
PID 1732 wrote to memory of 1564	1732	1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe
"C:\Users\Admin\AppData\Local\Temp\1798895e5928e606be2b611b99758a722f936c9cc92c7ecd76446cc7a2533a3e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YrztqVJUmKh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp642F.tmp"
2⤵
- Creates scheduled task(s)
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp642F.tmp
MD5
6545c68b3aa228dc1251dfa090dd2a13

SHA1
17d07f7da817d011878caf0d8ff27dbf367ad0b8

SHA256
e3fc21f1ee0ff6521fc209de3ce6e2467711de30fa20c67afbc75bb461f9cb1b

SHA512
3aaf77edd8fa6700717709b93d60a497a42cec22899e3662c7db6d6ef5b46b694c5679bcaca4bbadfab99c6402e24cb65c6cb9a1d884530fe5870d7a4ff5e59c

Download Submit
memory/1236-5-0x0000000000000000-mapping.dmp

Download
memory/1564-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1564-8-0x0000000000413A84-mapping.dmp

Download
memory/1564-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-0-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1732-1-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1732-3-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/1732-4-0x00000000006C0000-0x00000000006E8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads