remcos | 0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6

General

Target

libcrypto-1_1.sfx.exe
Size

1.9MB
MD5

ef39ea0b41b06ea6c8ea7259e538f2d0
SHA1

2f2cb13dbeb72a8e946c7aa0c8f1fc59b06ab196
SHA256

0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6
SHA512

4e349e98bda41fa0c3e2f6bedeef194d790548dd748ae746bfe06ef0dffe29a4df2a72e3372825896ce4c465a181752fa41b5b8ec1962748bbb5f1fdf85d4b80

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

5.45.87.29:8000

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

19 1000 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

ads.exe

pid process

2660 ads.exe
Loads dropped DLL 2 IoCs

Processes:

ads.exe

pid process

2660 ads.exe
2660 ads.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ads.exenotepad.exe

pid process

2660 ads.exe
2136 notepad.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

cmd.exe

pid process

1000 cmd.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

notepad.exe

pid process

2136 notepad.exe

flow	pid	process
19	1000	cmd.exe

pid	process
2660	ads.exe

pid	process
2660	ads.exe
2660	ads.exe

pid	process
2660	ads.exe
2136	notepad.exe

pid	process
1000	cmd.exe

pid	process
2136	notepad.exe

Suspicious use of AdjustPrivilegeToken 2982 IoCs

Processes:

ads.exe

description	pid	process
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe
Token: SeBackupPrivilege	2660	ads.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ads.execmd.exe

pid process

2660 ads.exe
1000 cmd.exe

pid	process
2660	ads.exe
1000	cmd.exe

Suspicious use of WriteProcessMemory 157 IoCs

Processes:

libcrypto-1_1.sfx.exeads.exe

description	pid	process	target process
PID 652 wrote to memory of 2660	652	libcrypto-1_1.sfx.exe	ads.exe
PID 652 wrote to memory of 2660	652	libcrypto-1_1.sfx.exe	ads.exe
PID 652 wrote to memory of 2660	652	libcrypto-1_1.sfx.exe	ads.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe
PID 2660 wrote to memory of 2136	2660	ads.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\libcrypto-1_1.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\libcrypto-1_1.sfx.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ads.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ads.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ads.exe
MD5
7215c1b9693b1394aaa7c86dcd741ad7

SHA1
290dda9a0f85cf5f119cb726e4f5d86696672bbc

SHA256
1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

SHA512
e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ads.exe
MD5
7215c1b9693b1394aaa7c86dcd741ad7

SHA1
290dda9a0f85cf5f119cb726e4f5d86696672bbc

SHA256
1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

SHA512
e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libcrypto-1_1.dll
MD5
7aa8e8a6c98d50e1918f2e65d1852134

SHA1
59158fe1316289d5904e31cff2020b5d08f579b6

SHA256
ffe00c6f8cbb3d182dcf350dd74baa43ef89cffea71b6b0a386e4d6b391d2c36

SHA512
d40fb6b3b5623a1a997a523a750a2a8e555d9fec8b81a1aa184ad8fca67b82e16de37d6942fc31da418e2dbe7b6d1030f42e1d679d88a36de387a8cc3da01ef5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\libcrypto-1_1.dll
MD5
7aa8e8a6c98d50e1918f2e65d1852134

SHA1
59158fe1316289d5904e31cff2020b5d08f579b6

SHA256
ffe00c6f8cbb3d182dcf350dd74baa43ef89cffea71b6b0a386e4d6b391d2c36

SHA512
d40fb6b3b5623a1a997a523a750a2a8e555d9fec8b81a1aa184ad8fca67b82e16de37d6942fc31da418e2dbe7b6d1030f42e1d679d88a36de387a8cc3da01ef5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\libcrypto-1_1.dll
MD5
7aa8e8a6c98d50e1918f2e65d1852134

SHA1
59158fe1316289d5904e31cff2020b5d08f579b6

SHA256
ffe00c6f8cbb3d182dcf350dd74baa43ef89cffea71b6b0a386e4d6b391d2c36

SHA512
d40fb6b3b5623a1a997a523a750a2a8e555d9fec8b81a1aa184ad8fca67b82e16de37d6942fc31da418e2dbe7b6d1030f42e1d679d88a36de387a8cc3da01ef5

Download Submit
memory/1000-9-0x0000000000000000-mapping.dmp

Download
memory/1000-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2136-8-0x0000000000000000-mapping.dmp

Download
memory/2660-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing