remcos | 0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a

General

Target

Shipping Document.exe
Size

993KB
MD5

522b6a9b012ad32cf9a5f8c5bd9503eb
SHA1

b1262d137fa69bd2a1961577cd1deb2d7b748bde
SHA256

0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a
SHA512

e148b7bdb43e619282b56d4e3202ac57c65b77812e4f6e7a830d6bb0de6e20d6f6e13f6d10420937e4274297737435ffb800d342b3270fd8069409b83d708c1a

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

79.134.225.34:20210

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

avg.exeavg.exe

pid process

1460 avg.exe
952 avg.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1012 cmd.exe

pid	process
1460	avg.exe
952	avg.exe

pid	process
1012	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Shipping Document.exeavg.exe

description	pid	process	target process
PID 1640 set thread context of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1460 set thread context of 952	1460	avg.exe	avg.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

Shipping Document.exeShipping Document.exeWScript.execmd.exeavg.exe

description	pid	process	target process
PID 1640 wrote to memory of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1640 wrote to memory of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1640 wrote to memory of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1640 wrote to memory of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1640 wrote to memory of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1640 wrote to memory of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1640 wrote to memory of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1640 wrote to memory of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1640 wrote to memory of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1640 wrote to memory of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1640 wrote to memory of 1668	1640	Shipping Document.exe	Shipping Document.exe
PID 1668 wrote to memory of 1092	1668	Shipping Document.exe	WScript.exe
PID 1668 wrote to memory of 1092	1668	Shipping Document.exe	WScript.exe
PID 1668 wrote to memory of 1092	1668	Shipping Document.exe	WScript.exe
PID 1668 wrote to memory of 1092	1668	Shipping Document.exe	WScript.exe
PID 1092 wrote to memory of 1012	1092	WScript.exe	cmd.exe
PID 1092 wrote to memory of 1012	1092	WScript.exe	cmd.exe
PID 1092 wrote to memory of 1012	1092	WScript.exe	cmd.exe
PID 1092 wrote to memory of 1012	1092	WScript.exe	cmd.exe
PID 1012 wrote to memory of 1460	1012	cmd.exe	avg.exe
PID 1012 wrote to memory of 1460	1012	cmd.exe	avg.exe
PID 1012 wrote to memory of 1460	1012	cmd.exe	avg.exe
PID 1012 wrote to memory of 1460	1012	cmd.exe	avg.exe
PID 1460 wrote to memory of 952	1460	avg.exe	avg.exe
PID 1460 wrote to memory of 952	1460	avg.exe	avg.exe
PID 1460 wrote to memory of 952	1460	avg.exe	avg.exe
PID 1460 wrote to memory of 952	1460	avg.exe	avg.exe
PID 1460 wrote to memory of 952	1460	avg.exe	avg.exe
PID 1460 wrote to memory of 952	1460	avg.exe	avg.exe
PID 1460 wrote to memory of 952	1460	avg.exe	avg.exe
PID 1460 wrote to memory of 952	1460	avg.exe	avg.exe
PID 1460 wrote to memory of 952	1460	avg.exe	avg.exe
PID 1460 wrote to memory of 952	1460	avg.exe	avg.exe
PID 1460 wrote to memory of 952	1460	avg.exe	avg.exe

C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\avg.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
"C:\Users\Admin\AppData\Roaming\Remcos\avg.exe"
6⤵
- Executes dropped EXE
PID:952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
222ff72d08a383519879fd6fe2dfc7bb

SHA1
5a76b3a8f29a37d16190b7977a28db32b57819d3

SHA256
54f4ed95899f8a81583e6ec482052b89924ccdf9049198d931bb2283e4132fe7

SHA512
b02e6af89fa61f6cf455fac444fa3bc8639d8d9d26db483be5f038d639dd074fcb052707d5458fbea67a94c424d146ab2239f4fc6cb70d710277c990d17aa926

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
MD5
522b6a9b012ad32cf9a5f8c5bd9503eb

SHA1
b1262d137fa69bd2a1961577cd1deb2d7b748bde

SHA256
0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a

SHA512
e148b7bdb43e619282b56d4e3202ac57c65b77812e4f6e7a830d6bb0de6e20d6f6e13f6d10420937e4274297737435ffb800d342b3270fd8069409b83d708c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
MD5
522b6a9b012ad32cf9a5f8c5bd9503eb

SHA1
b1262d137fa69bd2a1961577cd1deb2d7b748bde

SHA256
0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a

SHA512
e148b7bdb43e619282b56d4e3202ac57c65b77812e4f6e7a830d6bb0de6e20d6f6e13f6d10420937e4274297737435ffb800d342b3270fd8069409b83d708c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
MD5
522b6a9b012ad32cf9a5f8c5bd9503eb

SHA1
b1262d137fa69bd2a1961577cd1deb2d7b748bde

SHA256
0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a

SHA512
e148b7bdb43e619282b56d4e3202ac57c65b77812e4f6e7a830d6bb0de6e20d6f6e13f6d10420937e4274297737435ffb800d342b3270fd8069409b83d708c1a

Download Submit
\Users\Admin\AppData\Roaming\Remcos\avg.exe
MD5
522b6a9b012ad32cf9a5f8c5bd9503eb

SHA1
b1262d137fa69bd2a1961577cd1deb2d7b748bde

SHA256
0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a

SHA512
e148b7bdb43e619282b56d4e3202ac57c65b77812e4f6e7a830d6bb0de6e20d6f6e13f6d10420937e4274297737435ffb800d342b3270fd8069409b83d708c1a

Download Submit
memory/952-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/952-14-0x0000000000413FA4-mapping.dmp

Download
memory/1012-7-0x0000000000000000-mapping.dmp

Download
memory/1092-8-0x0000000002780000-0x0000000002784000-memory.dmp

Filesize
16KB

Download
memory/1092-5-0x0000000000000000-mapping.dmp

Download
memory/1460-11-0x0000000000000000-mapping.dmp

Download
memory/1668-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1668-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1668-3-0x0000000000413FA4-mapping.dmp

Download

Analysis

Sharing