remcos | 7e3336d8807cd8388486aad1291579306d530edfbd0d4402c5f642184386957f

General

Target

TaskAudio Driver.exe
Size

1.2MB
MD5

16e567f491fdd100e60bd060e400af2b
SHA1

01ebaa041c6803fbcfc6b6924b2ad7f3e79f2b02
SHA256

7e3336d8807cd8388486aad1291579306d530edfbd0d4402c5f642184386957f
SHA512

7cfc3fa620149d648aed26fe0d850eaa4ff570bb5885550f19c6f622f07e618b9adb30524b1f83e13c976600632b569287f025101bec9a171400b9c8eab73426

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

193.111.198.220:5862

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 47 IoCs

Processes:

cmd.exe

flow	pid	process
18	212	cmd.exe
19	212	cmd.exe
20	212	cmd.exe
21	212	cmd.exe
22	212	cmd.exe
23	212	cmd.exe
24	212	cmd.exe
25	212	cmd.exe
26	212	cmd.exe
27	212	cmd.exe
28	212	cmd.exe
29	212	cmd.exe
30	212	cmd.exe
31	212	cmd.exe
32	212	cmd.exe
33	212	cmd.exe
34	212	cmd.exe
35	212	cmd.exe
36	212	cmd.exe
37	212	cmd.exe
38	212	cmd.exe
39	212	cmd.exe
40	212	cmd.exe
41	212	cmd.exe
42	212	cmd.exe
43	212	cmd.exe
44	212	cmd.exe
45	212	cmd.exe
46	212	cmd.exe
47	212	cmd.exe
48	212	cmd.exe
49	212	cmd.exe
50	212	cmd.exe
51	212	cmd.exe
52	212	cmd.exe
53	212	cmd.exe
54	212	cmd.exe
55	212	cmd.exe
56	212	cmd.exe
57	212	cmd.exe
58	212	cmd.exe
59	212	cmd.exe
60	212	cmd.exe
61	212	cmd.exe
62	212	cmd.exe
63	212	cmd.exe
64	212	cmd.exe

Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\mdrs.job cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

TaskAudio Driver.exenotepad.exe

pid process

1628 TaskAudio Driver.exe
732 notepad.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

notepad.exe

pid process

732 notepad.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

212 cmd.exe

description	ioc	process
File created	C:\Windows\Tasks\mdrs.job	cmd.exe

pid	process
1628	TaskAudio Driver.exe
732	notepad.exe

pid	process
732	notepad.exe

pid	process
212	cmd.exe

Suspicious use of WriteProcessMemory 162 IoCs

Processes:

TaskAudio Driver.exe

description	pid	process	target process
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe
PID 1628 wrote to memory of 732	1628	TaskAudio Driver.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\TaskAudio Driver.exe
"C:\Users\Admin\AppData\Local\Temp\TaskAudio Driver.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-3-0x0000000000000000-mapping.dmp

Download
memory/212-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/732-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing