remcos | 596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90

General

Target

i5TiYkAYkWJy1O8.exe
Size

772KB
MD5

e17a0488de5ca3c73672541143ee6927
SHA1

8a4c59f81c17710e665fb3e055dc1cbd28bc8ce6
SHA256

596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90
SHA512

6766459cca6b6a25902973ca210e274241841e7acd2684ccb3f362040e3dbd568f1b430d305e773e50e0ec1e5e7cd879d8f3aff7d4cc30ce0a786be58555537d

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

185.244.26.208:29100

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1736 remcos.exe
1732 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

336 cmd.exe

pid	process
1736	remcos.exe
1732	remcos.exe

pid	process
336	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.exei5TiYkAYkWJy1O8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	i5TiYkAYkWJy1O8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	i5TiYkAYkWJy1O8.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

i5TiYkAYkWJy1O8.exeremcos.exe

description	pid	process	target process
PID 1652 set thread context of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 1736 set thread context of 1732	1736	remcos.exe	remcos.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

460 schtasks.exe
1816 schtasks.exe

pid	process
460	schtasks.exe
1816	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

i5TiYkAYkWJy1O8.exei5TiYkAYkWJy1O8.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 1652 wrote to memory of 460	1652	i5TiYkAYkWJy1O8.exe	schtasks.exe
PID 1652 wrote to memory of 460	1652	i5TiYkAYkWJy1O8.exe	schtasks.exe
PID 1652 wrote to memory of 460	1652	i5TiYkAYkWJy1O8.exe	schtasks.exe
PID 1652 wrote to memory of 460	1652	i5TiYkAYkWJy1O8.exe	schtasks.exe
PID 1652 wrote to memory of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 1652 wrote to memory of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 1652 wrote to memory of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 1652 wrote to memory of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 1652 wrote to memory of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 1652 wrote to memory of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 1652 wrote to memory of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 1652 wrote to memory of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 1652 wrote to memory of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 1652 wrote to memory of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 1652 wrote to memory of 576	1652	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 576 wrote to memory of 1092	576	i5TiYkAYkWJy1O8.exe	WScript.exe
PID 576 wrote to memory of 1092	576	i5TiYkAYkWJy1O8.exe	WScript.exe
PID 576 wrote to memory of 1092	576	i5TiYkAYkWJy1O8.exe	WScript.exe
PID 576 wrote to memory of 1092	576	i5TiYkAYkWJy1O8.exe	WScript.exe
PID 1092 wrote to memory of 336	1092	WScript.exe	cmd.exe
PID 1092 wrote to memory of 336	1092	WScript.exe	cmd.exe
PID 1092 wrote to memory of 336	1092	WScript.exe	cmd.exe
PID 1092 wrote to memory of 336	1092	WScript.exe	cmd.exe
PID 336 wrote to memory of 1736	336	cmd.exe	remcos.exe
PID 336 wrote to memory of 1736	336	cmd.exe	remcos.exe
PID 336 wrote to memory of 1736	336	cmd.exe	remcos.exe
PID 336 wrote to memory of 1736	336	cmd.exe	remcos.exe
PID 1736 wrote to memory of 1816	1736	remcos.exe	schtasks.exe
PID 1736 wrote to memory of 1816	1736	remcos.exe	schtasks.exe
PID 1736 wrote to memory of 1816	1736	remcos.exe	schtasks.exe
PID 1736 wrote to memory of 1816	1736	remcos.exe	schtasks.exe
PID 1736 wrote to memory of 1732	1736	remcos.exe	remcos.exe
PID 1736 wrote to memory of 1732	1736	remcos.exe	remcos.exe
PID 1736 wrote to memory of 1732	1736	remcos.exe	remcos.exe
PID 1736 wrote to memory of 1732	1736	remcos.exe	remcos.exe
PID 1736 wrote to memory of 1732	1736	remcos.exe	remcos.exe
PID 1736 wrote to memory of 1732	1736	remcos.exe	remcos.exe
PID 1736 wrote to memory of 1732	1736	remcos.exe	remcos.exe
PID 1736 wrote to memory of 1732	1736	remcos.exe	remcos.exe
PID 1736 wrote to memory of 1732	1736	remcos.exe	remcos.exe
PID 1736 wrote to memory of 1732	1736	remcos.exe	remcos.exe
PID 1736 wrote to memory of 1732	1736	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\i5TiYkAYkWJy1O8.exe
"C:\Users\Admin\AppData\Local\Temp\i5TiYkAYkWJy1O8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LChCpmvhHgIatd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp"
2⤵
- Creates scheduled task(s)
PID:460

C:\Users\Admin\AppData\Local\Temp\i5TiYkAYkWJy1O8.exe
"C:\Users\Admin\AppData\Local\Temp\i5TiYkAYkWJy1O8.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LChCpmvhHgIatd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp"
6⤵
- Creates scheduled task(s)
PID:1816

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp
MD5
f29647b5ee39160dcd52e5642cd659af

SHA1
d4c35b7343938930ff1fa6d938be3c2763f6872e

SHA256
ce798af4566e37df8221cbac35ea65151f329a64b3d4f95105dec4967520550f

SHA512
9bfb01514e330fa3f95e919671a7f27cda624d609b54fc94e8bfaa679e7ed14471fb83b35cbb59eac479fa363fdb52397ad253709556de8de0aa0a5885f244cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp
MD5
f29647b5ee39160dcd52e5642cd659af

SHA1
d4c35b7343938930ff1fa6d938be3c2763f6872e

SHA256
ce798af4566e37df8221cbac35ea65151f329a64b3d4f95105dec4967520550f

SHA512
9bfb01514e330fa3f95e919671a7f27cda624d609b54fc94e8bfaa679e7ed14471fb83b35cbb59eac479fa363fdb52397ad253709556de8de0aa0a5885f244cd

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
e17a0488de5ca3c73672541143ee6927

SHA1
8a4c59f81c17710e665fb3e055dc1cbd28bc8ce6

SHA256
596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90

SHA512
6766459cca6b6a25902973ca210e274241841e7acd2684ccb3f362040e3dbd568f1b430d305e773e50e0ec1e5e7cd879d8f3aff7d4cc30ce0a786be58555537d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
e17a0488de5ca3c73672541143ee6927

SHA1
8a4c59f81c17710e665fb3e055dc1cbd28bc8ce6

SHA256
596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90

SHA512
6766459cca6b6a25902973ca210e274241841e7acd2684ccb3f362040e3dbd568f1b430d305e773e50e0ec1e5e7cd879d8f3aff7d4cc30ce0a786be58555537d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
e17a0488de5ca3c73672541143ee6927

SHA1
8a4c59f81c17710e665fb3e055dc1cbd28bc8ce6

SHA256
596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90

SHA512
6766459cca6b6a25902973ca210e274241841e7acd2684ccb3f362040e3dbd568f1b430d305e773e50e0ec1e5e7cd879d8f3aff7d4cc30ce0a786be58555537d

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
e17a0488de5ca3c73672541143ee6927

SHA1
8a4c59f81c17710e665fb3e055dc1cbd28bc8ce6

SHA256
596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90

SHA512
6766459cca6b6a25902973ca210e274241841e7acd2684ccb3f362040e3dbd568f1b430d305e773e50e0ec1e5e7cd879d8f3aff7d4cc30ce0a786be58555537d

Download Submit
memory/336-14-0x0000000000000000-mapping.dmp

Download
memory/460-7-0x0000000000000000-mapping.dmp

Download
memory/576-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/576-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/576-10-0x0000000000413FA4-mapping.dmp

Download
memory/1092-18-0x0000000002770000-0x0000000002774000-memory.dmp

Filesize
16KB

Download
memory/1092-12-0x0000000000000000-mapping.dmp

Download
memory/1652-5-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/1652-2-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1652-6-0x0000000004E10000-0x0000000004E6F000-memory.dmp

Filesize
380KB

Download
memory/1652-3-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1732-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1732-28-0x0000000000413FA4-mapping.dmp

Download
memory/1736-17-0x0000000000000000-mapping.dmp

Download
memory/1736-21-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1736-20-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/1816-25-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads