remcos | 4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
13-01-2021 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2CBPOfVTs5QeG8Z.exe
Size

725KB
MD5

7b709e3928fa5d957244a6620d546a7e
SHA1

fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12
SHA256

4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f
SHA512

4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

185.244.26.208:29100

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 6 IoCs

Processes:

remcos.exeremcos.exeremcos.exeremcos.exeremcos.exeremcos.exe

pid process

916 remcos.exe
1580 remcos.exe
316 remcos.exe
2032 remcos.exe
1324 remcos.exe
1128 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

676 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2CBPOfVTs5QeG8Z.exe

description pid process target process

PID 1080 set thread context of 584 1080 2CBPOfVTs5QeG8Z.exe 2CBPOfVTs5QeG8Z.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1212 schtasks.exe
792 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

remcos.exe

pid process

916 remcos.exe
916 remcos.exe
916 remcos.exe
916 remcos.exe
916 remcos.exe
916 remcos.exe
916 remcos.exe
916 remcos.exe
916 remcos.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

remcos.exe

description pid process

Token: SeDebugPrivilege 916 remcos.exe

pid	process
916	remcos.exe
1580	remcos.exe
316	remcos.exe
2032	remcos.exe
1324	remcos.exe
1128	remcos.exe

pid	process
676	cmd.exe

description	pid	process	target process
PID 1080 set thread context of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe

pid	process
1212	schtasks.exe
792	schtasks.exe

pid	process
916	remcos.exe
916	remcos.exe
916	remcos.exe
916	remcos.exe
916	remcos.exe
916	remcos.exe
916	remcos.exe
916	remcos.exe
916	remcos.exe

description	pid	process
Token: SeDebugPrivilege	916	remcos.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

2CBPOfVTs5QeG8Z.exe2CBPOfVTs5QeG8Z.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 1080 wrote to memory of 1212	1080	2CBPOfVTs5QeG8Z.exe	schtasks.exe
PID 1080 wrote to memory of 1212	1080	2CBPOfVTs5QeG8Z.exe	schtasks.exe
PID 1080 wrote to memory of 1212	1080	2CBPOfVTs5QeG8Z.exe	schtasks.exe
PID 1080 wrote to memory of 1212	1080	2CBPOfVTs5QeG8Z.exe	schtasks.exe
PID 1080 wrote to memory of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 1080 wrote to memory of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 1080 wrote to memory of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 1080 wrote to memory of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 1080 wrote to memory of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 1080 wrote to memory of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 1080 wrote to memory of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 1080 wrote to memory of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 1080 wrote to memory of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 1080 wrote to memory of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 1080 wrote to memory of 584	1080	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 584 wrote to memory of 748	584	2CBPOfVTs5QeG8Z.exe	WScript.exe
PID 584 wrote to memory of 748	584	2CBPOfVTs5QeG8Z.exe	WScript.exe
PID 584 wrote to memory of 748	584	2CBPOfVTs5QeG8Z.exe	WScript.exe
PID 584 wrote to memory of 748	584	2CBPOfVTs5QeG8Z.exe	WScript.exe
PID 748 wrote to memory of 676	748	WScript.exe	cmd.exe
PID 748 wrote to memory of 676	748	WScript.exe	cmd.exe
PID 748 wrote to memory of 676	748	WScript.exe	cmd.exe
PID 748 wrote to memory of 676	748	WScript.exe	cmd.exe
PID 676 wrote to memory of 916	676	cmd.exe	remcos.exe
PID 676 wrote to memory of 916	676	cmd.exe	remcos.exe
PID 676 wrote to memory of 916	676	cmd.exe	remcos.exe
PID 676 wrote to memory of 916	676	cmd.exe	remcos.exe
PID 916 wrote to memory of 792	916	remcos.exe	schtasks.exe
PID 916 wrote to memory of 792	916	remcos.exe	schtasks.exe
PID 916 wrote to memory of 792	916	remcos.exe	schtasks.exe
PID 916 wrote to memory of 792	916	remcos.exe	schtasks.exe
PID 916 wrote to memory of 1580	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 1580	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 1580	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 1580	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 316	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 316	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 316	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 316	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 2032	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 2032	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 2032	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 2032	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 1324	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 1324	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 1324	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 1324	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 1128	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 1128	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 1128	916	remcos.exe	remcos.exe
PID 916 wrote to memory of 1128	916	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\2CBPOfVTs5QeG8Z.exe
"C:\Users\Admin\AppData\Local\Temp\2CBPOfVTs5QeG8Z.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ERojaNssrIHFaE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF0A5.tmp"
2⤵
- Creates scheduled task(s)
PID:1212

C:\Users\Admin\AppData\Local\Temp\2CBPOfVTs5QeG8Z.exe
"C:\Users\Admin\AppData\Local\Temp\2CBPOfVTs5QeG8Z.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ERojaNssrIHFaE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC948.tmp"
6⤵
- Creates scheduled task(s)
PID:792

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
PID:316

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
PID:2032

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
PID:1128

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC948.tmp
MD5
dd58c746a38c74ea4a7f1fb71ef5a4d0

SHA1
f4984e3913b3862bcc0906be3e203734306afa8c

SHA256
64e7c92dfe9ce43edafd10955d366a254aa121052f8a0e03a6296a81b0b5dd0c

SHA512
8e964fbda964363090a2e5ecfb99dfc742edfa530543f42b08dc4c026f750c5139d752ae1840f918df7f071d37b2b6b566c9c1f900b5a31ab132b63eb0b14755

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF0A5.tmp
MD5
dd58c746a38c74ea4a7f1fb71ef5a4d0

SHA1
f4984e3913b3862bcc0906be3e203734306afa8c

SHA256
64e7c92dfe9ce43edafd10955d366a254aa121052f8a0e03a6296a81b0b5dd0c

SHA512
8e964fbda964363090a2e5ecfb99dfc742edfa530543f42b08dc4c026f750c5139d752ae1840f918df7f071d37b2b6b566c9c1f900b5a31ab132b63eb0b14755

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7b709e3928fa5d957244a6620d546a7e

SHA1
fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12

SHA256
4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

SHA512
4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7b709e3928fa5d957244a6620d546a7e

SHA1
fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12

SHA256
4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

SHA512
4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7b709e3928fa5d957244a6620d546a7e

SHA1
fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12

SHA256
4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

SHA512
4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7b709e3928fa5d957244a6620d546a7e

SHA1
fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12

SHA256
4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

SHA512
4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7b709e3928fa5d957244a6620d546a7e

SHA1
fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12

SHA256
4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

SHA512
4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7b709e3928fa5d957244a6620d546a7e

SHA1
fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12

SHA256
4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

SHA512
4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7b709e3928fa5d957244a6620d546a7e

SHA1
fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12

SHA256
4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

SHA512
4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7b709e3928fa5d957244a6620d546a7e

SHA1
fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12

SHA256
4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

SHA512
4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Download Submit
memory/584-10-0x0000000000413FA4-mapping.dmp

Download
memory/584-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/584-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/676-14-0x0000000000000000-mapping.dmp

Download
memory/748-15-0x0000000002700000-0x0000000002704000-memory.dmp

Filesize
16KB

Download
memory/748-12-0x0000000000000000-mapping.dmp

Download
memory/792-25-0x0000000000000000-mapping.dmp

Download
memory/916-18-0x0000000000000000-mapping.dmp

Download
memory/916-20-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Filesize
6.9MB

Download
memory/916-21-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1080-2-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Filesize
6.9MB

Download
memory/1080-6-0x0000000004D90000-0x0000000004DEE000-memory.dmp

Filesize
376KB

Download
memory/1080-5-0x0000000000270000-0x0000000000282000-memory.dmp

Filesize
72KB

Download
memory/1080-3-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1212-7-0x0000000000000000-mapping.dmp

Download