remcos | 816f26e5b5de1be644fff419718bc3e1b8410a4a9a9f405d8db814e7758608d9

General

Target

DHL fil.exe
Size

1.7MB
MD5

0400ac5d652f38d0b60274ceed2e673a
SHA1

9c4ea3cda7382930907a89dc8c6ad22dcecc0e67
SHA256

816f26e5b5de1be644fff419718bc3e1b8410a4a9a9f405d8db814e7758608d9
SHA512

389776faa311fa1b10e9eda5a0f93898109f73e75214fe1007ea6bb03c87bb26f76506a1828b42825f8ed1d8d4ac3969e4836a628514ae05a99753ce0629bc37

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

u875414.nvpn.to:2404

u875414.duckdns.org:2404

u875414.ddns.net:2404

u875414.nsupdate.info:2404

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL fil.exe

description pid process target process

PID 1020 set thread context of 3836 1020 DHL fil.exe DHL fil.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2416 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DHL fil.exe

pid process

3836 DHL fil.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

DHL fil.exe

pid process

1020 DHL fil.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DHL fil.exe

pid process

3836 DHL fil.exe

description	pid	process	target process
PID 1020 set thread context of 3836	1020	DHL fil.exe	DHL fil.exe

pid	process
2416	schtasks.exe

pid	process
3836	DHL fil.exe

pid	process
1020	DHL fil.exe

pid	process
3836	DHL fil.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

DHL fil.execmd.exe

description	pid	process	target process
PID 1020 wrote to memory of 2696	1020	DHL fil.exe	cmd.exe
PID 1020 wrote to memory of 2696	1020	DHL fil.exe	cmd.exe
PID 1020 wrote to memory of 2696	1020	DHL fil.exe	cmd.exe
PID 1020 wrote to memory of 3836	1020	DHL fil.exe	DHL fil.exe
PID 1020 wrote to memory of 3836	1020	DHL fil.exe	DHL fil.exe
PID 1020 wrote to memory of 3836	1020	DHL fil.exe	DHL fil.exe
PID 1020 wrote to memory of 3836	1020	DHL fil.exe	DHL fil.exe
PID 2696 wrote to memory of 2416	2696	cmd.exe	schtasks.exe
PID 2696 wrote to memory of 2416	2696	cmd.exe	schtasks.exe
PID 2696 wrote to memory of 2416	2696	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\DHL fil.exe
"C:\Users\Admin\AppData\Local\Temp\DHL fil.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN firefox /XML "C:\Users\Admin\AppData\Local\Temp\c571f70d86ea41e1ade60440eec90e9a.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN firefox /XML "C:\Users\Admin\AppData\Local\Temp\c571f70d86ea41e1ade60440eec90e9a.xml"
3⤵
- Creates scheduled task(s)
PID:2416

C:\Users\Admin\AppData\Local\Temp\DHL fil.exe
"C:\Users\Admin\AppData\Local\Temp\DHL fil.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c571f70d86ea41e1ade60440eec90e9a.xml

MD5
3eb7080f35afc6fa9b8f1fa283d2b791

SHA1
f80ee9052dbf76740e6403e19f7f34a1183b2d4f

SHA256
ef889688b9761824a648b98601dfe3f31aedade2124aa959ccb79e82276a1fde

SHA512
2e270670bda47ff744256744b110518c1cfc2758dad5e5508f1514454805a2ae9e4850b8aa874f40d01c451b5a24b293d9a493df6fe39c8a902dc8842a436f36

Download Submit
memory/2416-7-0x0000000000000000-mapping.dmp

Download
memory/2696-2-0x0000000000000000-mapping.dmp

Download
memory/3836-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3836-4-0x0000000000413FA4-mapping.dmp

Download
memory/3836-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads