remcos | 581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03

General

Target

Original BL_pdf.scr
Size

136KB
MD5

7fd79d1258fa8ed52e0d49bd780acd2e
SHA1

ede2f547aae04f958172240dfd6cd0b76990e006
SHA256

581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03
SHA512

8b093424dccf6f879a792a6516536c8e02d771d0f7cd69eb706c553a0d75121a2cf9172c0f91de0c53189ce8eb6928e0b2a3ec4503024d63eb3090ec22c0feb0

Score

10^/10

remcos persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Appdata\\Yourphone.scr"	ieinstal.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Original BL_pdf.scrieinstal.exe

pid process

500 Original BL_pdf.scr
2852 ieinstal.exe
2852 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Original BL_pdf.scr

description pid process target process

PID 500 set thread context of 2852 500 Original BL_pdf.scr ieinstal.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Original BL_pdf.scr

pid process

500 Original BL_pdf.scr
500 Original BL_pdf.scr
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Original BL_pdf.scrieinstal.exe

pid process

500 Original BL_pdf.scr
2852 ieinstal.exe

pid	process
500	Original BL_pdf.scr
2852	ieinstal.exe
2852	ieinstal.exe

description	pid	process	target process
PID 500 set thread context of 2852	500	Original BL_pdf.scr	ieinstal.exe

pid	process
500	Original BL_pdf.scr
500	Original BL_pdf.scr

pid	process
500	Original BL_pdf.scr
2852	ieinstal.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Original BL_pdf.scr

description	pid	process	target process
PID 500 wrote to memory of 3164	500	Original BL_pdf.scr	ieinstal.exe
PID 500 wrote to memory of 3164	500	Original BL_pdf.scr	ieinstal.exe
PID 500 wrote to memory of 3164	500	Original BL_pdf.scr	ieinstal.exe
PID 500 wrote to memory of 2852	500	Original BL_pdf.scr	ieinstal.exe
PID 500 wrote to memory of 2852	500	Original BL_pdf.scr	ieinstal.exe
PID 500 wrote to memory of 2852	500	Original BL_pdf.scr	ieinstal.exe
PID 500 wrote to memory of 2852	500	Original BL_pdf.scr	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr" /S
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:500

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr" /S
2⤵
PID:3164

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr" /S
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2852-5-0x0000000003240000-mapping.dmp

Download
memory/2852-4-0x0000000003240000-0x0000000003340000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing