remcos | da58d100900745d6a15113e8b8cb5c2a3252a3c4a063ccc64fd09cc75cfb21ff

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
01-01-2021 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PolarisBiosEditor-master.exe
Size

1.7MB
MD5

dab64fc2e97031487358ef3553c8ff8a
SHA1

7f8258b6e9a455a4de914c5ee0952821ef036308
SHA256

da58d100900745d6a15113e8b8cb5c2a3252a3c4a063ccc64fd09cc75cfb21ff
SHA512

44e4fb714cf5ac71bb3c5517b039227a1b2c3952948e85c0b2a758b06cc60ba8203e1dcaa6a9fdeabf8c51e3327016fe5a9f7e67845cd5705665a281dccbd66f

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

193.111.198.220:5861

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

20 492 cmd.exe
Executes dropped EXE 4 IoCs

Processes:

PolarisBiosEditor.exePolarisBiosEditor.exePolarisBiosEditor.exeNet32 Driver.exe

pid process

3040 PolarisBiosEditor.exe
3676 PolarisBiosEditor.exe
1964 PolarisBiosEditor.exe
3960 Net32 Driver.exe
Loads dropped DLL 4 IoCs

Processes:

PolarisBiosEditor.exePolarisBiosEditor.exe

pid process

3040 PolarisBiosEditor.exe
3040 PolarisBiosEditor.exe
3676 PolarisBiosEditor.exe
3676 PolarisBiosEditor.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\mdrs.job cmd.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PolarisBiosEditor.exeNet32 Driver.exenotepad.exe

pid process

3676 PolarisBiosEditor.exe
3676 PolarisBiosEditor.exe
3960 Net32 Driver.exe
4068 notepad.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

notepad.exe

pid process

4068 notepad.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

PolarisBiosEditor.exe

pid process

3676 PolarisBiosEditor.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

492 cmd.exe

flow	pid	process
20	492	cmd.exe

pid	process
3040	PolarisBiosEditor.exe
3676	PolarisBiosEditor.exe
1964	PolarisBiosEditor.exe
3960	Net32 Driver.exe

pid	process
3040	PolarisBiosEditor.exe
3040	PolarisBiosEditor.exe
3676	PolarisBiosEditor.exe
3676	PolarisBiosEditor.exe

description	ioc	process
File created	C:\Windows\Tasks\mdrs.job	cmd.exe

pid	process
3676	PolarisBiosEditor.exe
3676	PolarisBiosEditor.exe
3960	Net32 Driver.exe
4068	notepad.exe

pid	process
4068	notepad.exe

pid	process
3676	PolarisBiosEditor.exe

pid	process
492	cmd.exe

Suspicious use of WriteProcessMemory 171 IoCs

Processes:

PolarisBiosEditor-master.exePolarisBiosEditor.exePolarisBiosEditor.exeNet32 Driver.exe

description	pid	process	target process
PID 988 wrote to memory of 3040	988	PolarisBiosEditor-master.exe	PolarisBiosEditor.exe
PID 988 wrote to memory of 3040	988	PolarisBiosEditor-master.exe	PolarisBiosEditor.exe
PID 988 wrote to memory of 3040	988	PolarisBiosEditor-master.exe	PolarisBiosEditor.exe
PID 3040 wrote to memory of 3676	3040	PolarisBiosEditor.exe	PolarisBiosEditor.exe
PID 3040 wrote to memory of 3676	3040	PolarisBiosEditor.exe	PolarisBiosEditor.exe
PID 3040 wrote to memory of 3676	3040	PolarisBiosEditor.exe	PolarisBiosEditor.exe
PID 3676 wrote to memory of 1964	3676	PolarisBiosEditor.exe	PolarisBiosEditor.exe
PID 3676 wrote to memory of 1964	3676	PolarisBiosEditor.exe	PolarisBiosEditor.exe
PID 3676 wrote to memory of 3960	3676	PolarisBiosEditor.exe	Net32 Driver.exe
PID 3676 wrote to memory of 3960	3676	PolarisBiosEditor.exe	Net32 Driver.exe
PID 3676 wrote to memory of 3960	3676	PolarisBiosEditor.exe	Net32 Driver.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe
PID 3960 wrote to memory of 4068	3960	Net32 Driver.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\PolarisBiosEditor-master.exe
"C:\Users\Admin\AppData\Local\Temp\PolarisBiosEditor-master.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PolarisBiosEditor.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PolarisBiosEditor.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PolarisBiosEditor.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PolarisBiosEditor.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Local\Temp\PolarisBiosEditor.exe
"C:\Users\Admin\AppData\Local\Temp\PolarisBiosEditor.exe"
4⤵
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Local\Temp\Net32 Driver.exe
"C:\Users\Admin\AppData\Local\Temp\Net32 Driver.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Net32 Driver.exe

MD5
85e6b5e1fb3676b5ac51ba523c5fce55

SHA1
e3ab4da2d3f1184fa60bf24b0afea0530005865e

SHA256
e975ed557a3abcc7fa555e1eef77c9212bbcad26d9bd8721bd4b4a9f7af7ffa1

SHA512
94d6e3d8711c87448fe6e2b05223c4c186f9008e9f64051e98a375b22b7133352725a78d51a14298e8271912019cdb8e3345886fbb006c7cf9ad534ae204fe97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Net32 Driver.exe

MD5
85e6b5e1fb3676b5ac51ba523c5fce55

SHA1
e3ab4da2d3f1184fa60bf24b0afea0530005865e

SHA256
e975ed557a3abcc7fa555e1eef77c9212bbcad26d9bd8721bd4b4a9f7af7ffa1

SHA512
94d6e3d8711c87448fe6e2b05223c4c186f9008e9f64051e98a375b22b7133352725a78d51a14298e8271912019cdb8e3345886fbb006c7cf9ad534ae204fe97

Download Submit
C:\Users\Admin\AppData\Local\Temp\PolarisBiosEditor.exe

MD5
5648c468395db42112aac0eca6e855c0

SHA1
49e61799ed6cbf29de43ba380309dc2b75e483a3

SHA256
dcf30a5c5c33e6d6d651a64943868dd754e20434bff20f33d2617fbd72001ba9

SHA512
3928768093a254ce8a575bd140ca2c783d6d4c085aa032b570f4ea05f85edfd480e0ac18f4c6d7f1c8db812df4703b01b875e6dfde67df5bab1f226af7bfafe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PolarisBiosEditor.exe

MD5
5648c468395db42112aac0eca6e855c0

SHA1
49e61799ed6cbf29de43ba380309dc2b75e483a3

SHA256
dcf30a5c5c33e6d6d651a64943868dd754e20434bff20f33d2617fbd72001ba9

SHA512
3928768093a254ce8a575bd140ca2c783d6d4c085aa032b570f4ea05f85edfd480e0ac18f4c6d7f1c8db812df4703b01b875e6dfde67df5bab1f226af7bfafe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PolarisBiosEditor-0.bin

MD5
e622b643aabbaa380675305989acb0fa

SHA1
4eaa4a3298f531332d3ba669c3a7e7d32dc982f0

SHA256
013f664a01b97fc211841f5a00dffdac53b7adecd3ccf2d3e8b99dfb6533f7b4

SHA512
f0ebb501d4758ff2d5068944cf4dbda1bfe62d128a88761bf095b9478799e5340600720a579a606d293c9f8f3816a53eb6095c0c498d75039149d8aa2699e9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PolarisBiosEditor-1.bin

MD5
993cc0583bcc6b5e89c4fdf8fca73fd7

SHA1
1b18f43816d1882c3e6b5303655d355da1ddd751

SHA256
54c2f6a2bbbfec5a44236aa080b37f86dcca07c8e56ad02f6d8a4a466d1d11b2

SHA512
62557b19d513d67e4c12d1d94d46369cc3c20f813e0d30a363dfeddba326d231aa672d2d9af5f2fc473428024c878d04b26e44693b875d73c390c0771204cf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PolarisBiosEditor.exe

MD5
50d6e3d248ac970a9bc9bad7a7d17db8

SHA1
ff6dbddaed5a4a532433e3963e002d5d3e528104

SHA256
b39f71f1b959437c8c3ed05c4fced85efdd40e115b8b371a477567d86bdd84a8

SHA512
c2d154f8265e3fcad1604c4c6ad2346852d7fb7ff0d876ee2d9dff3cc8d55dff8552b7e4662379635756e1c6d642d269350cec9d5e7d263d4cf45e4ae0fb72b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PolarisBiosEditor.exe

MD5
50d6e3d248ac970a9bc9bad7a7d17db8

SHA1
ff6dbddaed5a4a532433e3963e002d5d3e528104

SHA256
b39f71f1b959437c8c3ed05c4fced85efdd40e115b8b371a477567d86bdd84a8

SHA512
c2d154f8265e3fcad1604c4c6ad2346852d7fb7ff0d876ee2d9dff3cc8d55dff8552b7e4662379635756e1c6d642d269350cec9d5e7d263d4cf45e4ae0fb72b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PolarisBiosEditor.exe

MD5
50d6e3d248ac970a9bc9bad7a7d17db8

SHA1
ff6dbddaed5a4a532433e3963e002d5d3e528104

SHA256
b39f71f1b959437c8c3ed05c4fced85efdd40e115b8b371a477567d86bdd84a8

SHA512
c2d154f8265e3fcad1604c4c6ad2346852d7fb7ff0d876ee2d9dff3cc8d55dff8552b7e4662379635756e1c6d642d269350cec9d5e7d263d4cf45e4ae0fb72b6

Download Submit
\Users\Admin\AppData\Local\Temp\is-HIHL6.tmp\_isetup\_isdecmp.dll

MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-HIHL6.tmp\_isetup\_isdecmp.dll

MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-OQ585.tmp\_isetup\_isdecmp.dll

MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-OQ585.tmp\_isetup\_isdecmp.dll

MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
memory/492-21-0x0000000000000000-mapping.dmp

Download
memory/492-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1964-13-0x0000000000000000-mapping.dmp

Download
memory/1964-19-0x00007FFA13040000-0x00007FFA139E0000-memory.dmp

Filesize
9.6MB

Download
memory/3040-2-0x0000000000000000-mapping.dmp

Download
memory/3676-8-0x0000000000000000-mapping.dmp

Download
memory/3960-16-0x0000000000000000-mapping.dmp

Download
memory/4068-20-0x0000000000000000-mapping.dmp

Download