remcos | 3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925

Analysis

max time kernel
149s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
11-01-2021 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

atiflash_293.exe
Size

3.2MB
MD5

e6172650b97c48b350630e67e13387d9
SHA1

ad2a2c83d70088b1fe69adb77b8efdccb280be04
SHA256

3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925
SHA512

8a61d1a837c338f09fc21f1bb803ecb3813174015724b4bb69dc4c444086efef3e83702483dc7c41acfb0ea11cdcda7c8585eedfcff485e3c66c70ab65280ac8

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

94.242.206.175:5883

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 2 IoCs

Processes:

cmd.exe

flow pid process

17 744 cmd.exe
18 744 cmd.exe
Executes dropped EXE 4 IoCs

Processes:

atiwinflash.exeatiwinflash.exeamdvbflashWin.exezatiwinflash.exe

pid process

3144 atiwinflash.exe
2648 atiwinflash.exe
204 amdvbflashWin.exe
2312 zatiwinflash.exe
Loads dropped DLL 1 IoCs

Processes:

amdvbflashWin.exe

pid process

204 amdvbflashWin.exe

flow	pid	process
17	744	cmd.exe
18	744	cmd.exe

pid	process
3144	atiwinflash.exe
2648	atiwinflash.exe
204	amdvbflashWin.exe
2312	zatiwinflash.exe

pid	process
204	amdvbflashWin.exe

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash-1.bin	js
C:\Program Files (x86)\My Program\amdvbflashWin.exe	js
C:\Program Files (x86)\My Program\amdvbflashWin.exe	js

Drops file in System32 directory 2 IoCs

Processes:

atiwinflash.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\zatiwinflash.exe	atiwinflash.exe
File created	C:\Windows\SysWOW64\is-IC2AB.tmp	atiwinflash.exe

Drops file in Program Files directory 31 IoCs

Processes:

atiwinflash.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\My Program\amdvbflashWin.exe	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashchs.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-8K8IC.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-SCT6T.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-3NLSD.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-GVIVD.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-08MMB.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ULPSCtrl.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashesp.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-03PH1.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-JJNTO.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-EDQ60.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-EQVNK.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-115TL.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashjpn.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-B5OGB.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-SDESM.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashdef.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-V6AV1.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashfra.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashkor.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashdeu.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashita.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-OGBKC.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashenu.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashptb.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashsve.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-FOF43.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashcht.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-9N27K.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-M76P5.tmp	atiwinflash.exe

Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\HelpPane.job cmd.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

atiwinflash.exezatiwinflash.exenotepad.exe

pid process

2648 atiwinflash.exe
2648 atiwinflash.exe
2312 zatiwinflash.exe
3720 notepad.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

620
620
620
620
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

notepad.exe

pid process

3720 notepad.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

atiwinflash.exe

pid process

2648 atiwinflash.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

amdvbflashWin.exezatiwinflash.execmd.exe

pid process

204 amdvbflashWin.exe
2312 zatiwinflash.exe
744 cmd.exe

description	ioc	process
File created	C:\Windows\Tasks\HelpPane.job	cmd.exe

pid	process
2648	atiwinflash.exe
2648	atiwinflash.exe
2312	zatiwinflash.exe
3720	notepad.exe

pid	process
620
620
620
620

pid	process
3720	notepad.exe

pid	process
2648	atiwinflash.exe

pid	process
204	amdvbflashWin.exe
2312	zatiwinflash.exe
744	cmd.exe

Suspicious use of WriteProcessMemory 174 IoCs

Processes:

atiflash_293.exeatiwinflash.exeatiwinflash.exezatiwinflash.exe

description	pid	process	target process
PID 1400 wrote to memory of 3144	1400	atiflash_293.exe	atiwinflash.exe
PID 1400 wrote to memory of 3144	1400	atiflash_293.exe	atiwinflash.exe
PID 1400 wrote to memory of 3144	1400	atiflash_293.exe	atiwinflash.exe
PID 3144 wrote to memory of 2648	3144	atiwinflash.exe	atiwinflash.exe
PID 3144 wrote to memory of 2648	3144	atiwinflash.exe	atiwinflash.exe
PID 3144 wrote to memory of 2648	3144	atiwinflash.exe	atiwinflash.exe
PID 2648 wrote to memory of 204	2648	atiwinflash.exe	amdvbflashWin.exe
PID 2648 wrote to memory of 204	2648	atiwinflash.exe	amdvbflashWin.exe
PID 2648 wrote to memory of 204	2648	atiwinflash.exe	amdvbflashWin.exe
PID 2648 wrote to memory of 2312	2648	atiwinflash.exe	zatiwinflash.exe
PID 2648 wrote to memory of 2312	2648	atiwinflash.exe	zatiwinflash.exe
PID 2648 wrote to memory of 2312	2648	atiwinflash.exe	zatiwinflash.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe
PID 2312 wrote to memory of 3720	2312	zatiwinflash.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\atiflash_293.exe
"C:\Users\Admin\AppData\Local\Temp\atiflash_293.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2648

C:\Program Files (x86)\My Program\amdvbflashWin.exe
"C:\Program Files (x86)\My Program\amdvbflashWin.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:204

C:\Windows\SysWOW64\zatiwinflash.exe
"C:\Windows\SysWOW64\zatiwinflash.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\My Program\ATIWinflashenu.dll
MD5
9ad4a476b03ad2f9034ac1b30f006a4f

SHA1
cc96accc636eb105dd4d6ed459780a3065b36734

SHA256
9b5f694c4381ac3c4c2dd1f5a7241a4318f9d2a57ef60db1fbf36fd50b7242cc

SHA512
688b61633ae7cb56b1a8aa3c200628004020161ea643bbd9661de2f34dbfe1a5ee4a8997417e5448260b41f051a7bb71f68db1cf975e4ac56915edcef8b81658

Download Submit
C:\Program Files (x86)\My Program\amdvbflashWin.exe
MD5
0c9bbd178196c451beb69302294c9330

SHA1
28c12558a93fdb6a5da086ec72b9e049f545982d

SHA256
d7e0e886486181692ee2ee0930dd5974456c1c7470e89ebc392ffe040574a328

SHA512
ba3ce393c5a1d4e8aa60ee8debd3edb1016317c707cc54f083fc41125957f4971e720de784ea961f2375eccd976c46fc9ecdc97209a5b0c4e016e6d658bbfd07

Download Submit
C:\Program Files (x86)\My Program\amdvbflashWin.exe
MD5
0c9bbd178196c451beb69302294c9330

SHA1
28c12558a93fdb6a5da086ec72b9e049f545982d

SHA256
d7e0e886486181692ee2ee0930dd5974456c1c7470e89ebc392ffe040574a328

SHA512
ba3ce393c5a1d4e8aa60ee8debd3edb1016317c707cc54f083fc41125957f4971e720de784ea961f2375eccd976c46fc9ecdc97209a5b0c4e016e6d658bbfd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash-0.bin
MD5
ba3704cb4c2a4d5dc08598c5720a0b37

SHA1
e8ec82e06f3fb58474f898847bc7ecfe3717cea0

SHA256
23406c0629d480ab4db3909dc103e577d9e5080c5e8be059b4c5d211adce6625

SHA512
f1b6066695573b032076a1cc05a5da4a7d67fa27bc6d1b1e113bd927c1c1eb279021dff50e99b69a484d31b963a8bad22de605498e8b310bc967f0725f0dc7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash-1.bin
MD5
c850123aa3753e8e5665f329e9b83e41

SHA1
26419b90b539f2da529e40ed6b88e00f981b1618

SHA256
1cdc3094d875a040b16ead487e9c335095791d8f9b8463733c1181c3e3809be0

SHA512
9dca6a581b00ae080ce919506785b2a1afff3c1404507ff393cf33be1b58fc5392411233d8de20ecc399143cce6ddefc2514e24416a5a710fa93d2b9a0846cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
MD5
93adde4b19317826f3a8991013fe235e

SHA1
fc83922dfe41a6d0990448d33ad2f1421303dbf2

SHA256
20119b217ab1c6eea456b166fd40c9b5942684b58999c59b67d689441cdcf9e6

SHA512
8a38f85c7939a716ea1bd557d86417de1706dad77212e8dd99d5b7fad1a77b3849e1aa497f9904b71e44203aa1c23287e43dbbfc7a64570b8ae5b26dd25174cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
MD5
93adde4b19317826f3a8991013fe235e

SHA1
fc83922dfe41a6d0990448d33ad2f1421303dbf2

SHA256
20119b217ab1c6eea456b166fd40c9b5942684b58999c59b67d689441cdcf9e6

SHA512
8a38f85c7939a716ea1bd557d86417de1706dad77212e8dd99d5b7fad1a77b3849e1aa497f9904b71e44203aa1c23287e43dbbfc7a64570b8ae5b26dd25174cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
MD5
93adde4b19317826f3a8991013fe235e

SHA1
fc83922dfe41a6d0990448d33ad2f1421303dbf2

SHA256
20119b217ab1c6eea456b166fd40c9b5942684b58999c59b67d689441cdcf9e6

SHA512
8a38f85c7939a716ea1bd557d86417de1706dad77212e8dd99d5b7fad1a77b3849e1aa497f9904b71e44203aa1c23287e43dbbfc7a64570b8ae5b26dd25174cb

Download Submit
C:\Windows\SysWOW64\zatiwinflash.exe
MD5
b482a15e02f50b37e00a2c4fccaac7f9

SHA1
b9874893328b43970e09c9d42319d0c3f044f448

SHA256
58c24970b7e3fd8a86585547df9a939b5cf6d5326b798400c804d9f55ddb3b10

SHA512
2f7aa997016b6013a41e9d658265fd988ef0e36228bd773414788cafd61d531a30fc060434b5689dd23bd62d00a44642f76434c314dc9b1f6cdf980cc6904512

Download Submit
C:\Windows\SysWOW64\zatiwinflash.exe
MD5
b482a15e02f50b37e00a2c4fccaac7f9

SHA1
b9874893328b43970e09c9d42319d0c3f044f448

SHA256
58c24970b7e3fd8a86585547df9a939b5cf6d5326b798400c804d9f55ddb3b10

SHA512
2f7aa997016b6013a41e9d658265fd988ef0e36228bd773414788cafd61d531a30fc060434b5689dd23bd62d00a44642f76434c314dc9b1f6cdf980cc6904512

Download Submit
\Program Files (x86)\My Program\ATIWinflashenu.dll
MD5
9ad4a476b03ad2f9034ac1b30f006a4f

SHA1
cc96accc636eb105dd4d6ed459780a3065b36734

SHA256
9b5f694c4381ac3c4c2dd1f5a7241a4318f9d2a57ef60db1fbf36fd50b7242cc

SHA512
688b61633ae7cb56b1a8aa3c200628004020161ea643bbd9661de2f34dbfe1a5ee4a8997417e5448260b41f051a7bb71f68db1cf975e4ac56915edcef8b81658

Download Submit
memory/204-10-0x0000000000000000-mapping.dmp

Download
memory/744-19-0x0000000000000000-mapping.dmp

Download
memory/744-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2312-13-0x0000000000000000-mapping.dmp

Download
memory/2648-7-0x0000000000000000-mapping.dmp

Download
memory/3144-3-0x0000000000000000-mapping.dmp

Download
memory/3720-18-0x0000000000000000-mapping.dmp

Download