remcos | 6624ce134dd16a37d6615483002f24b74c74c55b45259bc5408b7ae804d0fe22

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
01-01-2021 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

godflex-r2.exe
Size

2.1MB
MD5

bc9d8bf64ab149a01edd9bfe3cc8dad9
SHA1

abb61ea183d5d9e5a2a0f81aeda36abb6adf1aa0
SHA256

6624ce134dd16a37d6615483002f24b74c74c55b45259bc5408b7ae804d0fe22
SHA512

72330be2414f04a7557caea52739f9e2721b22a73b9416b441875a42f46e531dd51213fd3259e0c862b82035ba68694651ebffe2547370866896fa52ca1df729

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

193.111.198.220:5861

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

17 3332 cmd.exe
Executes dropped EXE 4 IoCs

Processes:

ETHlargementPill-r2.exeETHlargementPill-r2.exeETHlargementPill-r2.exeNet32 Driver.exe

pid process

3712 ETHlargementPill-r2.exe
4316 ETHlargementPill-r2.exe
4196 ETHlargementPill-r2.exe
3904 Net32 Driver.exe

flow	pid	process
17	3332	cmd.exe

pid	process
3712	ETHlargementPill-r2.exe
4316	ETHlargementPill-r2.exe
4196	ETHlargementPill-r2.exe
3904	Net32 Driver.exe

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ETHlargementPill-r2.exe	js
C:\Users\Admin\AppData\Local\Temp\ETHlargementPill-r2.exe	js

Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\mdrs.job cmd.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ETHlargementPill-r2.exeNet32 Driver.exenotepad.exe

pid process

4316 ETHlargementPill-r2.exe
4316 ETHlargementPill-r2.exe
3904 Net32 Driver.exe
648 notepad.exe
648 notepad.exe
648 notepad.exe
648 notepad.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

notepad.exe

pid process

648 notepad.exe
648 notepad.exe
648 notepad.exe
648 notepad.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ETHlargementPill-r2.exe

pid process

4316 ETHlargementPill-r2.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

3332 cmd.exe

description	ioc	process
File created	C:\Windows\Tasks\mdrs.job	cmd.exe

pid	process
4316	ETHlargementPill-r2.exe
4316	ETHlargementPill-r2.exe
3904	Net32 Driver.exe
648	notepad.exe
648	notepad.exe
648	notepad.exe
648	notepad.exe

pid	process
648	notepad.exe
648	notepad.exe
648	notepad.exe
648	notepad.exe

pid	process
4316	ETHlargementPill-r2.exe

pid	process
3332	cmd.exe

Suspicious use of WriteProcessMemory 201 IoCs

Processes:

godflex-r2.exeETHlargementPill-r2.exeETHlargementPill-r2.exeNet32 Driver.exe

description	pid	process	target process
PID 4760 wrote to memory of 3712	4760	godflex-r2.exe	ETHlargementPill-r2.exe
PID 4760 wrote to memory of 3712	4760	godflex-r2.exe	ETHlargementPill-r2.exe
PID 4760 wrote to memory of 3712	4760	godflex-r2.exe	ETHlargementPill-r2.exe
PID 3712 wrote to memory of 4316	3712	ETHlargementPill-r2.exe	ETHlargementPill-r2.exe
PID 3712 wrote to memory of 4316	3712	ETHlargementPill-r2.exe	ETHlargementPill-r2.exe
PID 3712 wrote to memory of 4316	3712	ETHlargementPill-r2.exe	ETHlargementPill-r2.exe
PID 4316 wrote to memory of 4196	4316	ETHlargementPill-r2.exe	ETHlargementPill-r2.exe
PID 4316 wrote to memory of 4196	4316	ETHlargementPill-r2.exe	ETHlargementPill-r2.exe
PID 4316 wrote to memory of 3904	4316	ETHlargementPill-r2.exe	Net32 Driver.exe
PID 4316 wrote to memory of 3904	4316	ETHlargementPill-r2.exe	Net32 Driver.exe
PID 4316 wrote to memory of 3904	4316	ETHlargementPill-r2.exe	Net32 Driver.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe
PID 3904 wrote to memory of 648	3904	Net32 Driver.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\godflex-r2.exe
"C:\Users\Admin\AppData\Local\Temp\godflex-r2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ETHlargementPill-r2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ETHlargementPill-r2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ETHlargementPill-r2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ETHlargementPill-r2.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\ETHlargementPill-r2.exe
"C:\Users\Admin\AppData\Local\Temp\ETHlargementPill-r2.exe"
4⤵
- Executes dropped EXE
PID:4196

C:\Users\Admin\AppData\Local\Temp\Net32 Driver.exe
"C:\Users\Admin\AppData\Local\Temp\Net32 Driver.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ETHlargementPill-r2.exe

MD5
1351bf58a407fa5f89a6613e00a2e9df

SHA1
547bae93c4437183e9d3176d226afac20af287e9

SHA256
1261052e34b3205dc04f5dd9e4b76d2649dbcda738dc8e2665b07f56d659e716

SHA512
38ad312442031871ac73a8fad87fdf0d02900764caa697bf3dcbd6b13c35e42ce32f1fa729bf09b4830c8f265054201256baa1e7b1d51730efb4bddc6a3e4ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ETHlargementPill-r2.exe

MD5
1351bf58a407fa5f89a6613e00a2e9df

SHA1
547bae93c4437183e9d3176d226afac20af287e9

SHA256
1261052e34b3205dc04f5dd9e4b76d2649dbcda738dc8e2665b07f56d659e716

SHA512
38ad312442031871ac73a8fad87fdf0d02900764caa697bf3dcbd6b13c35e42ce32f1fa729bf09b4830c8f265054201256baa1e7b1d51730efb4bddc6a3e4ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Net32 Driver.exe

MD5
85e6b5e1fb3676b5ac51ba523c5fce55

SHA1
e3ab4da2d3f1184fa60bf24b0afea0530005865e

SHA256
e975ed557a3abcc7fa555e1eef77c9212bbcad26d9bd8721bd4b4a9f7af7ffa1

SHA512
94d6e3d8711c87448fe6e2b05223c4c186f9008e9f64051e98a375b22b7133352725a78d51a14298e8271912019cdb8e3345886fbb006c7cf9ad534ae204fe97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Net32 Driver.exe

MD5
85e6b5e1fb3676b5ac51ba523c5fce55

SHA1
e3ab4da2d3f1184fa60bf24b0afea0530005865e

SHA256
e975ed557a3abcc7fa555e1eef77c9212bbcad26d9bd8721bd4b4a9f7af7ffa1

SHA512
94d6e3d8711c87448fe6e2b05223c4c186f9008e9f64051e98a375b22b7133352725a78d51a14298e8271912019cdb8e3345886fbb006c7cf9ad534ae204fe97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ETHlargementPill-r2-0.bin

MD5
c2d1c703df07762531cac2ed985cd80f

SHA1
14a3c4ebd14ce2358ba60d9bb45ff120bd622288

SHA256
91642edf1a743ee4ff66f5f3705f7f285781c6c4a5c80f002e5e6c5efab5b9f2

SHA512
33d2306c506a50c2e314850449ec15994f4325c803db053a32d2f8cd24c9602b44a4f03453742c8ee89e26685ed7329648f74ab5254e3436ef33186d2f264827

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ETHlargementPill-r2-1.bin

MD5
8e99267b6bfa6a1fe9071413f641bff1

SHA1
86f71fbc2fd9aa5d952c84d58dd9a034940ed215

SHA256
476ac528962d3120679d70312bd8c61aa12162fbad62a413bf8ed9081968f0ba

SHA512
f235d8b7b857257bd696b8d71bc09748cfdee415544fe6e9da365ac52347479f9ad03b7ad335fbca42519f2341c2a7269a128f3e9af0836d7bb1f6ea2f050b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ETHlargementPill-r2.exe

MD5
6cf20e4af300fcf3d82a11fae597a53a

SHA1
1bddf1912de5183f40700c0c61473f069786a41f

SHA256
e9c668f12a06ecb6375cedbf324e6284f50e1ddea797c3393c6356512d98a8bd

SHA512
1f0077f84d0d012fb4e7592b215275d8fa8f0e0ad491afd93fead6aa42bbe0d20568720173320f1b05a2833f62110583c42731209e6a218f85bb7a407505016a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ETHlargementPill-r2.exe

MD5
6cf20e4af300fcf3d82a11fae597a53a

SHA1
1bddf1912de5183f40700c0c61473f069786a41f

SHA256
e9c668f12a06ecb6375cedbf324e6284f50e1ddea797c3393c6356512d98a8bd

SHA512
1f0077f84d0d012fb4e7592b215275d8fa8f0e0ad491afd93fead6aa42bbe0d20568720173320f1b05a2833f62110583c42731209e6a218f85bb7a407505016a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ETHlargementPill-r2.exe

MD5
6cf20e4af300fcf3d82a11fae597a53a

SHA1
1bddf1912de5183f40700c0c61473f069786a41f

SHA256
e9c668f12a06ecb6375cedbf324e6284f50e1ddea797c3393c6356512d98a8bd

SHA512
1f0077f84d0d012fb4e7592b215275d8fa8f0e0ad491afd93fead6aa42bbe0d20568720173320f1b05a2833f62110583c42731209e6a218f85bb7a407505016a

Download Submit
memory/648-16-0x0000000000000000-mapping.dmp

Download
memory/3332-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3332-20-0x0000000000000000-mapping.dmp

Download
memory/3712-3-0x0000000000000000-mapping.dmp

Download
memory/3904-12-0x0000000000000000-mapping.dmp

Download
memory/4196-19-0x00007FF7B41C0000-0x00007FF7B4237000-memory.dmp

Filesize
476KB

Download
memory/4196-10-0x0000000000000000-mapping.dmp

Download
memory/4316-7-0x0000000000000000-mapping.dmp

Download