remcos | 0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a

General

Target

Shipping Document.exe
Size

993KB
MD5

522b6a9b012ad32cf9a5f8c5bd9503eb
SHA1

b1262d137fa69bd2a1961577cd1deb2d7b748bde
SHA256

0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a
SHA512

e148b7bdb43e619282b56d4e3202ac57c65b77812e4f6e7a830d6bb0de6e20d6f6e13f6d10420937e4274297737435ffb800d342b3270fd8069409b83d708c1a

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

79.134.225.34:20210

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

avg.exeavg.exeavg.exe

pid process

2968 avg.exe
1328 avg.exe
1620 avg.exe

pid	process
2968	avg.exe
1328	avg.exe
1620	avg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Shipping Document.exeavg.exe

description	pid	process	target process
PID 988 set thread context of 736	988	Shipping Document.exe	Shipping Document.exe
PID 2968 set thread context of 1620	2968	avg.exe	avg.exe

Modifies registry class 1 IoCs

Processes:

Shipping Document.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings Shipping Document.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

avg.exe

pid process

2968 avg.exe
2968 avg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

avg.exe

description pid process

Token: SeDebugPrivilege 2968 avg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	Shipping Document.exe

pid	process
2968	avg.exe
2968	avg.exe

description	pid	process
Token: SeDebugPrivilege	2968	avg.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Shipping Document.exeShipping Document.exeWScript.execmd.exeavg.exe

description	pid	process	target process
PID 988 wrote to memory of 736	988	Shipping Document.exe	Shipping Document.exe
PID 988 wrote to memory of 736	988	Shipping Document.exe	Shipping Document.exe
PID 988 wrote to memory of 736	988	Shipping Document.exe	Shipping Document.exe
PID 988 wrote to memory of 736	988	Shipping Document.exe	Shipping Document.exe
PID 988 wrote to memory of 736	988	Shipping Document.exe	Shipping Document.exe
PID 988 wrote to memory of 736	988	Shipping Document.exe	Shipping Document.exe
PID 988 wrote to memory of 736	988	Shipping Document.exe	Shipping Document.exe
PID 988 wrote to memory of 736	988	Shipping Document.exe	Shipping Document.exe
PID 988 wrote to memory of 736	988	Shipping Document.exe	Shipping Document.exe
PID 988 wrote to memory of 736	988	Shipping Document.exe	Shipping Document.exe
PID 736 wrote to memory of 2660	736	Shipping Document.exe	WScript.exe
PID 736 wrote to memory of 2660	736	Shipping Document.exe	WScript.exe
PID 736 wrote to memory of 2660	736	Shipping Document.exe	WScript.exe
PID 2660 wrote to memory of 1372	2660	WScript.exe	cmd.exe
PID 2660 wrote to memory of 1372	2660	WScript.exe	cmd.exe
PID 2660 wrote to memory of 1372	2660	WScript.exe	cmd.exe
PID 1372 wrote to memory of 2968	1372	cmd.exe	avg.exe
PID 1372 wrote to memory of 2968	1372	cmd.exe	avg.exe
PID 1372 wrote to memory of 2968	1372	cmd.exe	avg.exe
PID 2968 wrote to memory of 1328	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1328	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1328	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1620	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1620	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1620	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1620	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1620	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1620	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1620	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1620	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1620	2968	avg.exe	avg.exe
PID 2968 wrote to memory of 1620	2968	avg.exe	avg.exe

C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\avg.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
"C:\Users\Admin\AppData\Roaming\Remcos\avg.exe"
6⤵
- Executes dropped EXE
PID:1328

C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
"C:\Users\Admin\AppData\Roaming\Remcos\avg.exe"
6⤵
- Executes dropped EXE
PID:1620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
222ff72d08a383519879fd6fe2dfc7bb

SHA1
5a76b3a8f29a37d16190b7977a28db32b57819d3

SHA256
54f4ed95899f8a81583e6ec482052b89924ccdf9049198d931bb2283e4132fe7

SHA512
b02e6af89fa61f6cf455fac444fa3bc8639d8d9d26db483be5f038d639dd074fcb052707d5458fbea67a94c424d146ab2239f4fc6cb70d710277c990d17aa926

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
MD5
522b6a9b012ad32cf9a5f8c5bd9503eb

SHA1
b1262d137fa69bd2a1961577cd1deb2d7b748bde

SHA256
0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a

SHA512
e148b7bdb43e619282b56d4e3202ac57c65b77812e4f6e7a830d6bb0de6e20d6f6e13f6d10420937e4274297737435ffb800d342b3270fd8069409b83d708c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
MD5
522b6a9b012ad32cf9a5f8c5bd9503eb

SHA1
b1262d137fa69bd2a1961577cd1deb2d7b748bde

SHA256
0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a

SHA512
e148b7bdb43e619282b56d4e3202ac57c65b77812e4f6e7a830d6bb0de6e20d6f6e13f6d10420937e4274297737435ffb800d342b3270fd8069409b83d708c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
MD5
522b6a9b012ad32cf9a5f8c5bd9503eb

SHA1
b1262d137fa69bd2a1961577cd1deb2d7b748bde

SHA256
0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a

SHA512
e148b7bdb43e619282b56d4e3202ac57c65b77812e4f6e7a830d6bb0de6e20d6f6e13f6d10420937e4274297737435ffb800d342b3270fd8069409b83d708c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\avg.exe
MD5
522b6a9b012ad32cf9a5f8c5bd9503eb

SHA1
b1262d137fa69bd2a1961577cd1deb2d7b748bde

SHA256
0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a

SHA512
e148b7bdb43e619282b56d4e3202ac57c65b77812e4f6e7a830d6bb0de6e20d6f6e13f6d10420937e4274297737435ffb800d342b3270fd8069409b83d708c1a

Download Submit
memory/736-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/736-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/736-3-0x0000000000413FA4-mapping.dmp

Download
memory/1372-7-0x0000000000000000-mapping.dmp

Download
memory/1620-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1620-13-0x0000000000413FA4-mapping.dmp

Download
memory/2660-5-0x0000000000000000-mapping.dmp

Download
memory/2968-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing