remcos | 01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c

General

Target

Wjhus order 13.1.2021.exe
Size

374KB
MD5

20663ecc753600bebd55fbc4c3fff85e
SHA1

6f14c5bd02dca7c1a58965ccb26a10ef8aa95aea
SHA256

01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c
SHA512

d3e2e219fac00dcb53d3f2ef1e789110681183ce22e32191c11c404f816ee4d2b342a5090288907e21d17dc779e9a9baede05aeb20390cacbc047be486f681af

Score

10^/10

remcos persistence rat spyware

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 5 IoCs

Processes:

VLC.exeVLC.exeVLC.exeVLC.exeVLC.exe

pid process

208 VLC.exe
1364 VLC.exe
2072 VLC.exe
2936 VLC.exe
652 VLC.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
208	VLC.exe
1364	VLC.exe
2072	VLC.exe
2936	VLC.exe
652	VLC.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Wjhus order 13.1.2021.exeVLC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Wjhus order 13.1.2021.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtemcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\eremcos\\VLC.exe\""	Wjhus order 13.1.2021.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	VLC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtemcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\eremcos\\VLC.exe\""	VLC.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

VLC.exe

description	pid	process	target process
PID 1364 set thread context of 2072	1364	VLC.exe	VLC.exe
PID 1364 set thread context of 2936	1364	VLC.exe	VLC.exe
PID 1364 set thread context of 652	1364	VLC.exe	VLC.exe

Modifies registry class 1 IoCs

Processes:

Wjhus order 13.1.2021.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings Wjhus order 13.1.2021.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

VLC.exeVLC.exe

pid process

2072 VLC.exe
2072 VLC.exe
2936 VLC.exe
2936 VLC.exe
2072 VLC.exe
2072 VLC.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

VLC.exe

description pid process

Token: SeDebugPrivilege 2936 VLC.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

VLC.exe

pid process

1364 VLC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Wjhus order 13.1.2021.exe

pid	process
2072	VLC.exe
2072	VLC.exe
2936	VLC.exe
2936	VLC.exe
2072	VLC.exe
2072	VLC.exe

description	pid	process
Token: SeDebugPrivilege	2936	VLC.exe

pid	process
1364	VLC.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

Wjhus order 13.1.2021.exeWScript.execmd.exeVLC.exeVLC.exe

description	pid	process	target process
PID 424 wrote to memory of 2740	424	Wjhus order 13.1.2021.exe	WScript.exe
PID 424 wrote to memory of 2740	424	Wjhus order 13.1.2021.exe	WScript.exe
PID 424 wrote to memory of 2740	424	Wjhus order 13.1.2021.exe	WScript.exe
PID 2740 wrote to memory of 3140	2740	WScript.exe	cmd.exe
PID 2740 wrote to memory of 3140	2740	WScript.exe	cmd.exe
PID 2740 wrote to memory of 3140	2740	WScript.exe	cmd.exe
PID 3140 wrote to memory of 208	3140	cmd.exe	VLC.exe
PID 3140 wrote to memory of 208	3140	cmd.exe	VLC.exe
PID 3140 wrote to memory of 208	3140	cmd.exe	VLC.exe
PID 208 wrote to memory of 1364	208	VLC.exe	VLC.exe
PID 208 wrote to memory of 1364	208	VLC.exe	VLC.exe
PID 208 wrote to memory of 1364	208	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2228	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2228	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2228	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 3696	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 3696	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 3696	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2072	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2072	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2072	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2072	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2072	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2072	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2072	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2072	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2936	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2936	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2936	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2936	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2936	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2936	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2936	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 2936	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 652	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 652	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 652	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 652	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 652	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 652	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 652	1364	VLC.exe	VLC.exe
PID 1364 wrote to memory of 652	1364	VLC.exe	VLC.exe

C:\Users\Admin\AppData\Local\Temp\Wjhus order 13.1.2021.exe
"C:\Users\Admin\AppData\Local\Temp\Wjhus order 13.1.2021.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
"C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe /stext "C:\Users\Admin\AppData\Local\Temp\ilzljonafsdqhsvyyrhfjhxnsrjpdittq"
6⤵
PID:2228

C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe /stext "C:\Users\Admin\AppData\Local\Temp\ilzljonafsdqhsvyyrhfjhxnsrjpdittq"
6⤵
PID:3696

C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe /stext "C:\Users\Admin\AppData\Local\Temp\ilzljonafsdqhsvyyrhfjhxnsrjpdittq"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2072

C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe /stext "C:\Users\Admin\AppData\Local\Temp\dirodzjvp"
6⤵
- Executes dropped EXE
PID:652

C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe /stext "C:\Users\Admin\AppData\Local\Temp\tfewc"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ilzljonafsdqhsvyyrhfjhxnsrjpdittq
MD5
814b5ce4cad79d36055d2d4b5958cc31

SHA1
2a06a869615f0858479371b0415899681fb0c7d8

SHA256
6d1fa1a75faec2b39e8a2a1df8dd0f15e5256de7da7c527225ecf22fdacaf559

SHA512
a82fa1594ccbe1df93a973a01c787a6baa0ce8a97c0b0b0a844c90cb6be092b1094636b4d88c568fece95cd9bdfe4412875011abe318373a4fcfc218f93d1278

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
516c683f65edb23d0e850fa3ef3c8684

SHA1
2ac568ffec85d04a03ce8cd67d22c0f57ebcf78b

SHA256
90fcf9d38e16bf59c8ba902a0a2fb4535cb54515fdb51ecf561cec6911db553d

SHA512
fb785e0ba530ef75dab428467da6b2da078a356a953fb7b1729d2474b06a44f854cfd41fa6f3432e13f330c4a12b1665d316c63291fbd46bb165ba1e7b384c93

Download Submit
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
MD5
20663ecc753600bebd55fbc4c3fff85e

SHA1
6f14c5bd02dca7c1a58965ccb26a10ef8aa95aea

SHA256
01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c

SHA512
d3e2e219fac00dcb53d3f2ef1e789110681183ce22e32191c11c404f816ee4d2b342a5090288907e21d17dc779e9a9baede05aeb20390cacbc047be486f681af

Download Submit
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
MD5
20663ecc753600bebd55fbc4c3fff85e

SHA1
6f14c5bd02dca7c1a58965ccb26a10ef8aa95aea

SHA256
01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c

SHA512
d3e2e219fac00dcb53d3f2ef1e789110681183ce22e32191c11c404f816ee4d2b342a5090288907e21d17dc779e9a9baede05aeb20390cacbc047be486f681af

Download Submit
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
MD5
20663ecc753600bebd55fbc4c3fff85e

SHA1
6f14c5bd02dca7c1a58965ccb26a10ef8aa95aea

SHA256
01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c

SHA512
d3e2e219fac00dcb53d3f2ef1e789110681183ce22e32191c11c404f816ee4d2b342a5090288907e21d17dc779e9a9baede05aeb20390cacbc047be486f681af

Download Submit
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
MD5
20663ecc753600bebd55fbc4c3fff85e

SHA1
6f14c5bd02dca7c1a58965ccb26a10ef8aa95aea

SHA256
01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c

SHA512
d3e2e219fac00dcb53d3f2ef1e789110681183ce22e32191c11c404f816ee4d2b342a5090288907e21d17dc779e9a9baede05aeb20390cacbc047be486f681af

Download Submit
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
MD5
20663ecc753600bebd55fbc4c3fff85e

SHA1
6f14c5bd02dca7c1a58965ccb26a10ef8aa95aea

SHA256
01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c

SHA512
d3e2e219fac00dcb53d3f2ef1e789110681183ce22e32191c11c404f816ee4d2b342a5090288907e21d17dc779e9a9baede05aeb20390cacbc047be486f681af

Download Submit
C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe
MD5
20663ecc753600bebd55fbc4c3fff85e

SHA1
6f14c5bd02dca7c1a58965ccb26a10ef8aa95aea

SHA256
01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c

SHA512
d3e2e219fac00dcb53d3f2ef1e789110681183ce22e32191c11c404f816ee4d2b342a5090288907e21d17dc779e9a9baede05aeb20390cacbc047be486f681af

Download Submit
memory/208-5-0x0000000000000000-mapping.dmp

Download
memory/652-18-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/652-24-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/652-23-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/652-20-0x0000000000455238-mapping.dmp

Download
memory/1364-8-0x0000000000000000-mapping.dmp

Download
memory/2072-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2072-16-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2072-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2072-11-0x0000000000476274-mapping.dmp

Download
memory/2740-2-0x0000000000000000-mapping.dmp

Download
memory/2936-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2936-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2936-15-0x0000000000422206-mapping.dmp

Download
memory/2936-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3140-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads