remcos | 4fe8c8398a6cf30cfd7cbed590de821abdb40aa177781c43c19bdfec75308355

Analysis

max time kernel
148s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
06-01-2021 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New PO.exe
Size

665KB
MD5

5ad9944b195708e20ed9008a6aca905d
SHA1

56a770ba16062100d0cb2574fe24a042718c9fbc
SHA256

4fe8c8398a6cf30cfd7cbed590de821abdb40aa177781c43c19bdfec75308355
SHA512

a4e92e98029adb6d46a6d225d90284ec2b11c8b3763557a80c3fe8fd629cb0ccfb3f7c0570430127c6c3a3d3146c9ea73321f1ccbf6a664d3af5690c1fd6ae7d

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

194.5.98.32:959

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

New PO.exe

description pid process target process

PID 4708 set thread context of 4256 4708 New PO.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

New PO.exe

pid process

4708 New PO.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

New PO.exe

description pid process

Token: SeDebugPrivilege 4708 New PO.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

4256 vbc.exe

description	pid	process	target process
PID 4708 set thread context of 4256	4708	New PO.exe	vbc.exe

pid	process
4708	New PO.exe

description	pid	process
Token: SeDebugPrivilege	4708	New PO.exe

pid	process
4256	vbc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

New PO.exe

description	pid	process	target process
PID 4708 wrote to memory of 4256	4708	New PO.exe	vbc.exe
PID 4708 wrote to memory of 4256	4708	New PO.exe	vbc.exe
PID 4708 wrote to memory of 4256	4708	New PO.exe	vbc.exe
PID 4708 wrote to memory of 4256	4708	New PO.exe	vbc.exe
PID 4708 wrote to memory of 4256	4708	New PO.exe	vbc.exe
PID 4708 wrote to memory of 4256	4708	New PO.exe	vbc.exe
PID 4708 wrote to memory of 4256	4708	New PO.exe	vbc.exe
PID 4708 wrote to memory of 4256	4708	New PO.exe	vbc.exe
PID 4708 wrote to memory of 4256	4708	New PO.exe	vbc.exe
PID 4708 wrote to memory of 4256	4708	New PO.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\New PO.exe
"C:\Users\Admin\AppData\Local\Temp\New PO.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4256-3-0x0000000000413FA4-mapping.dmp

Download
memory/4256-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4256-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download