remcos | 581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03

General

Target

Original BL_pdf.scr
Size

136KB
MD5

7fd79d1258fa8ed52e0d49bd780acd2e
SHA1

ede2f547aae04f958172240dfd6cd0b76990e006
SHA256

581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03
SHA512

8b093424dccf6f879a792a6516536c8e02d771d0f7cd69eb706c553a0d75121a2cf9172c0f91de0c53189ce8eb6928e0b2a3ec4503024d63eb3090ec22c0feb0

Score

10^/10

remcos persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Appdata\\Yourphone.scr"	ieinstal.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Original BL_pdf.scrieinstal.exe

pid process

1756 Original BL_pdf.scr
1300 ieinstal.exe
1300 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Original BL_pdf.scr

description pid process target process

PID 1756 set thread context of 1300 1756 Original BL_pdf.scr ieinstal.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Original BL_pdf.scr

pid process

1756 Original BL_pdf.scr
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Original BL_pdf.scrieinstal.exe

pid process

1756 Original BL_pdf.scr
1300 ieinstal.exe

pid	process
1756	Original BL_pdf.scr
1300	ieinstal.exe
1300	ieinstal.exe

description	pid	process	target process
PID 1756 set thread context of 1300	1756	Original BL_pdf.scr	ieinstal.exe

pid	process
1756	Original BL_pdf.scr

pid	process
1756	Original BL_pdf.scr
1300	ieinstal.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Original BL_pdf.scr

description	pid	process	target process
PID 1756 wrote to memory of 1300	1756	Original BL_pdf.scr	ieinstal.exe
PID 1756 wrote to memory of 1300	1756	Original BL_pdf.scr	ieinstal.exe
PID 1756 wrote to memory of 1300	1756	Original BL_pdf.scr	ieinstal.exe
PID 1756 wrote to memory of 1300	1756	Original BL_pdf.scr	ieinstal.exe
PID 1756 wrote to memory of 1300	1756	Original BL_pdf.scr	ieinstal.exe
PID 1756 wrote to memory of 1300	1756	Original BL_pdf.scr	ieinstal.exe
PID 1756 wrote to memory of 1300	1756	Original BL_pdf.scr	ieinstal.exe
PID 1756 wrote to memory of 1300	1756	Original BL_pdf.scr	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr" /S
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr" /S
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1300-4-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1300-5-0x00000000001F0000-mapping.dmp

Download
memory/1456-6-0x000007FEF72E0000-0x000007FEF755A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing