remcos | 3e1b557d439ca592c369de0b80c576820f61dcbc12c8babae78f3e30ba34f0af

General

Target

e8594ea84a7a42ce70570019cff754a6.exe
Size

1.3MB
MD5

e8594ea84a7a42ce70570019cff754a6
SHA1

28c61ddbc341aff36ef147f1cb9139b7d055caf1
SHA256

3e1b557d439ca592c369de0b80c576820f61dcbc12c8babae78f3e30ba34f0af
SHA512

2cd119489120dee762c4a7821230f05924e6c99f79d7bc54e0bd4437256ec7526b906fe8f69c959f89ab001a055d6feeaa120e1174998577b17178351c8bf1b9

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

vlc.exevlc.exe

pid process

516 vlc.exe
3924 vlc.exe

pid	process
516	vlc.exe
3924	vlc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e8594ea84a7a42ce70570019cff754a6.exevlc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	e8594ea84a7a42ce70570019cff754a6.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vlc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	e8594ea84a7a42ce70570019cff754a6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

e8594ea84a7a42ce70570019cff754a6.exevlc.exe

pid	process
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
516	vlc.exe
516	vlc.exe
516	vlc.exe
516	vlc.exe
516	vlc.exe
516	vlc.exe
516	vlc.exe
516	vlc.exe
516	vlc.exe
516	vlc.exe
516	vlc.exe
516	vlc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e8594ea84a7a42ce70570019cff754a6.exevlc.exe

description	pid	process	target process
PID 832 set thread context of 2844	832	e8594ea84a7a42ce70570019cff754a6.exe	e8594ea84a7a42ce70570019cff754a6.exe
PID 516 set thread context of 3924	516	vlc.exe	vlc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

996 832 WerFault.exe e8594ea84a7a42ce70570019cff754a6.exe
312 516 WerFault.exe vlc.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

2340 timeout.exe
936 timeout.exe
2928 timeout.exe
704 timeout.exe
3992 timeout.exe
2172 timeout.exe

pid	pid_target	process	target process
996	832	WerFault.exe	e8594ea84a7a42ce70570019cff754a6.exe
312	516	WerFault.exe	vlc.exe

pid	process
2340	timeout.exe
936	timeout.exe
2928	timeout.exe
704	timeout.exe
3992	timeout.exe
2172	timeout.exe

Modifies registry class 1 IoCs

Processes:

e8594ea84a7a42ce70570019cff754a6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	e8594ea84a7a42ce70570019cff754a6.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

e8594ea84a7a42ce70570019cff754a6.exeWerFault.exevlc.exeWerFault.exe

pid	process
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
832	e8594ea84a7a42ce70570019cff754a6.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
516	vlc.exe
516	vlc.exe
516	vlc.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe
312	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

3924 vlc.exe

pid	process
3924	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e8594ea84a7a42ce70570019cff754a6.exeWerFault.exevlc.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	832	e8594ea84a7a42ce70570019cff754a6.exe
Token: SeRestorePrivilege	996	WerFault.exe
Token: SeBackupPrivilege	996	WerFault.exe
Token: SeDebugPrivilege	996	WerFault.exe
Token: SeDebugPrivilege	516	vlc.exe
Token: SeDebugPrivilege	312	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

3924 vlc.exe

pid	process
3924	vlc.exe

Suspicious use of WriteProcessMemory 65 IoCs

Processes:

e8594ea84a7a42ce70570019cff754a6.execmd.execmd.execmd.exee8594ea84a7a42ce70570019cff754a6.exeWScript.execmd.exevlc.execmd.execmd.execmd.exe

description	pid	process	target process
PID 832 wrote to memory of 524	832	e8594ea84a7a42ce70570019cff754a6.exe	cmd.exe
PID 832 wrote to memory of 524	832	e8594ea84a7a42ce70570019cff754a6.exe	cmd.exe
PID 832 wrote to memory of 524	832	e8594ea84a7a42ce70570019cff754a6.exe	cmd.exe
PID 524 wrote to memory of 2172	524	cmd.exe	timeout.exe
PID 524 wrote to memory of 2172	524	cmd.exe	timeout.exe
PID 524 wrote to memory of 2172	524	cmd.exe	timeout.exe
PID 832 wrote to memory of 220	832	e8594ea84a7a42ce70570019cff754a6.exe	cmd.exe
PID 832 wrote to memory of 220	832	e8594ea84a7a42ce70570019cff754a6.exe	cmd.exe
PID 832 wrote to memory of 220	832	e8594ea84a7a42ce70570019cff754a6.exe	cmd.exe
PID 220 wrote to memory of 2340	220	cmd.exe	timeout.exe
PID 220 wrote to memory of 2340	220	cmd.exe	timeout.exe
PID 220 wrote to memory of 2340	220	cmd.exe	timeout.exe
PID 832 wrote to memory of 2956	832	e8594ea84a7a42ce70570019cff754a6.exe	cmd.exe
PID 832 wrote to memory of 2956	832	e8594ea84a7a42ce70570019cff754a6.exe	cmd.exe
PID 832 wrote to memory of 2956	832	e8594ea84a7a42ce70570019cff754a6.exe	cmd.exe
PID 2956 wrote to memory of 936	2956	cmd.exe	timeout.exe
PID 2956 wrote to memory of 936	2956	cmd.exe	timeout.exe
PID 2956 wrote to memory of 936	2956	cmd.exe	timeout.exe
PID 832 wrote to memory of 2844	832	e8594ea84a7a42ce70570019cff754a6.exe	e8594ea84a7a42ce70570019cff754a6.exe
PID 832 wrote to memory of 2844	832	e8594ea84a7a42ce70570019cff754a6.exe	e8594ea84a7a42ce70570019cff754a6.exe
PID 832 wrote to memory of 2844	832	e8594ea84a7a42ce70570019cff754a6.exe	e8594ea84a7a42ce70570019cff754a6.exe
PID 832 wrote to memory of 2844	832	e8594ea84a7a42ce70570019cff754a6.exe	e8594ea84a7a42ce70570019cff754a6.exe
PID 832 wrote to memory of 2844	832	e8594ea84a7a42ce70570019cff754a6.exe	e8594ea84a7a42ce70570019cff754a6.exe
PID 832 wrote to memory of 2844	832	e8594ea84a7a42ce70570019cff754a6.exe	e8594ea84a7a42ce70570019cff754a6.exe
PID 832 wrote to memory of 2844	832	e8594ea84a7a42ce70570019cff754a6.exe	e8594ea84a7a42ce70570019cff754a6.exe
PID 832 wrote to memory of 2844	832	e8594ea84a7a42ce70570019cff754a6.exe	e8594ea84a7a42ce70570019cff754a6.exe
PID 832 wrote to memory of 2844	832	e8594ea84a7a42ce70570019cff754a6.exe	e8594ea84a7a42ce70570019cff754a6.exe
PID 832 wrote to memory of 2844	832	e8594ea84a7a42ce70570019cff754a6.exe	e8594ea84a7a42ce70570019cff754a6.exe
PID 2844 wrote to memory of 3384	2844	e8594ea84a7a42ce70570019cff754a6.exe	WScript.exe
PID 2844 wrote to memory of 3384	2844	e8594ea84a7a42ce70570019cff754a6.exe	WScript.exe
PID 2844 wrote to memory of 3384	2844	e8594ea84a7a42ce70570019cff754a6.exe	WScript.exe
PID 3384 wrote to memory of 4012	3384	WScript.exe	cmd.exe
PID 3384 wrote to memory of 4012	3384	WScript.exe	cmd.exe
PID 3384 wrote to memory of 4012	3384	WScript.exe	cmd.exe
PID 4012 wrote to memory of 516	4012	cmd.exe	vlc.exe
PID 4012 wrote to memory of 516	4012	cmd.exe	vlc.exe
PID 4012 wrote to memory of 516	4012	cmd.exe	vlc.exe
PID 516 wrote to memory of 3756	516	vlc.exe	cmd.exe
PID 516 wrote to memory of 3756	516	vlc.exe	cmd.exe
PID 516 wrote to memory of 3756	516	vlc.exe	cmd.exe
PID 3756 wrote to memory of 2928	3756	cmd.exe	timeout.exe
PID 3756 wrote to memory of 2928	3756	cmd.exe	timeout.exe
PID 3756 wrote to memory of 2928	3756	cmd.exe	timeout.exe
PID 516 wrote to memory of 2788	516	vlc.exe	cmd.exe
PID 516 wrote to memory of 2788	516	vlc.exe	cmd.exe
PID 516 wrote to memory of 2788	516	vlc.exe	cmd.exe
PID 2788 wrote to memory of 704	2788	cmd.exe	timeout.exe
PID 2788 wrote to memory of 704	2788	cmd.exe	timeout.exe
PID 2788 wrote to memory of 704	2788	cmd.exe	timeout.exe
PID 516 wrote to memory of 2104	516	vlc.exe	cmd.exe
PID 516 wrote to memory of 2104	516	vlc.exe	cmd.exe
PID 516 wrote to memory of 2104	516	vlc.exe	cmd.exe
PID 2104 wrote to memory of 3992	2104	cmd.exe	timeout.exe
PID 2104 wrote to memory of 3992	2104	cmd.exe	timeout.exe
PID 2104 wrote to memory of 3992	2104	cmd.exe	timeout.exe
PID 516 wrote to memory of 3924	516	vlc.exe	vlc.exe
PID 516 wrote to memory of 3924	516	vlc.exe	vlc.exe
PID 516 wrote to memory of 3924	516	vlc.exe	vlc.exe
PID 516 wrote to memory of 3924	516	vlc.exe	vlc.exe
PID 516 wrote to memory of 3924	516	vlc.exe	vlc.exe
PID 516 wrote to memory of 3924	516	vlc.exe	vlc.exe
PID 516 wrote to memory of 3924	516	vlc.exe	vlc.exe
PID 516 wrote to memory of 3924	516	vlc.exe	vlc.exe
PID 516 wrote to memory of 3924	516	vlc.exe	vlc.exe

C:\Users\Admin\AppData\Local\Temp\e8594ea84a7a42ce70570019cff754a6.exe
"C:\Users\Admin\AppData\Local\Temp\e8594ea84a7a42ce70570019cff754a6.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:936

C:\Users\Admin\AppData\Local\Temp\e8594ea84a7a42ce70570019cff754a6.exe
"C:\Users\Admin\AppData\Local\Temp\e8594ea84a7a42ce70570019cff754a6.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\vlc.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Roaming\vlc.exe
C:\Users\Admin\AppData\Roaming\vlc.exe
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:2928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:3992

C:\Users\Admin\AppData\Roaming\vlc.exe
"C:\Users\Admin\AppData\Roaming\vlc.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1652
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1544
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
0fd303b21c1a43c6a9078e6f5280ca85

SHA1
0db8f1ae34f4e2e72184e337951fde826c0bd26f

SHA256
5d8c6cfdf8fc198c4fd279487e5c1620ece89e39781c6337f4cb5e111e606ddc

SHA512
be4cdd48940bead0274c7cf08abd9bc75b5db468159cbf883198712d0bb15ad81a069638c628eba62237cfa0a197f845c0d9e1f4727c9608a8d642f7aba38671

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe
MD5
e8594ea84a7a42ce70570019cff754a6

SHA1
28c61ddbc341aff36ef147f1cb9139b7d055caf1

SHA256
3e1b557d439ca592c369de0b80c576820f61dcbc12c8babae78f3e30ba34f0af

SHA512
2cd119489120dee762c4a7821230f05924e6c99f79d7bc54e0bd4437256ec7526b906fe8f69c959f89ab001a055d6feeaa120e1174998577b17178351c8bf1b9

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe
MD5
e8594ea84a7a42ce70570019cff754a6

SHA1
28c61ddbc341aff36ef147f1cb9139b7d055caf1

SHA256
3e1b557d439ca592c369de0b80c576820f61dcbc12c8babae78f3e30ba34f0af

SHA512
2cd119489120dee762c4a7821230f05924e6c99f79d7bc54e0bd4437256ec7526b906fe8f69c959f89ab001a055d6feeaa120e1174998577b17178351c8bf1b9

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe
MD5
e8594ea84a7a42ce70570019cff754a6

SHA1
28c61ddbc341aff36ef147f1cb9139b7d055caf1

SHA256
3e1b557d439ca592c369de0b80c576820f61dcbc12c8babae78f3e30ba34f0af

SHA512
2cd119489120dee762c4a7821230f05924e6c99f79d7bc54e0bd4437256ec7526b906fe8f69c959f89ab001a055d6feeaa120e1174998577b17178351c8bf1b9

Download Submit
memory/220-11-0x0000000000000000-mapping.dmp

Download
memory/312-46-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/516-25-0x0000000000000000-mapping.dmp

Download
memory/516-28-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/524-9-0x0000000000000000-mapping.dmp

Download
memory/704-38-0x0000000000000000-mapping.dmp

Download
memory/832-8-0x00000000051E0000-0x0000000005211000-memory.dmp

Filesize
196KB

Download
memory/832-13-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/832-7-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/832-6-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/832-2-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/832-5-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/832-3-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/936-15-0x0000000000000000-mapping.dmp

Download
memory/996-21-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/2104-40-0x0000000000000000-mapping.dmp

Download
memory/2172-10-0x0000000000000000-mapping.dmp

Download
memory/2340-12-0x0000000000000000-mapping.dmp

Download
memory/2788-37-0x0000000000000000-mapping.dmp

Download
memory/2844-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2844-17-0x0000000000413FA4-mapping.dmp

Download
memory/2844-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2928-36-0x0000000000000000-mapping.dmp

Download
memory/2956-14-0x0000000000000000-mapping.dmp

Download
memory/3384-19-0x0000000000000000-mapping.dmp

Download
memory/3756-35-0x0000000000000000-mapping.dmp

Download
memory/3924-43-0x0000000000413FA4-mapping.dmp

Download
memory/3924-45-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3992-41-0x0000000000000000-mapping.dmp

Download
memory/4012-24-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads