remcos | 490949068e713c6d3c2fd04b38d00573420b0f5ddf1b61672ffd2bd8ce40cad2

General

Target

Product_List_And_Prices.exe
Size

649KB
MD5

0f2c421ac61c55b966ebedc48ccf44e4
SHA1

2f3a1098c2b6992c25dfb5e07b3035b42df7f0d9
SHA256

490949068e713c6d3c2fd04b38d00573420b0f5ddf1b61672ffd2bd8ce40cad2
SHA512

bf7e61ce7458db49cc214f9328431d9b1beeeba20348b6bf76deb9aeb9596061f117dda57e8f8a3a3f10ff0799f2ff513ddfcb24aa250aec09b577ae09423efe

Score

10^/10

remcos rat spyware

Malware Config

Extracted

Family

remcos

C2

185.244.26.208:29100

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/940-39-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/940-39-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

remcos.exeremcos.exeremcos.exe

pid process

1108 remcos.exe
1508 remcos.exe
940 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

616 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1108	remcos.exe
1508	remcos.exe
940	remcos.exe

pid	process
616	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Product_List_And_Prices.exeremcos.exeremcos.exe

description	pid	process	target process
PID 776 set thread context of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 1108 set thread context of 1508	1108	remcos.exe	remcos.exe
PID 1508 set thread context of 1200	1508	remcos.exe	svchost.exe
PID 1508 set thread context of 940	1508	remcos.exe	remcos.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

908 schtasks.exe
1624 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1108 remcos.exe
940 remcos.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

remcos.exe

description pid process

Token: SeDebugPrivilege 1108 remcos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1508 remcos.exe

pid	process
908	schtasks.exe
1624	schtasks.exe

pid	process
1108	remcos.exe
940	remcos.exe

description	pid	process
Token: SeDebugPrivilege	1108	remcos.exe

pid	process
1508	remcos.exe

Suspicious use of WriteProcessMemory 76 IoCs

Processes:

Product_List_And_Prices.exeProduct_List_And_Prices.exeWScript.execmd.exeremcos.exeremcos.exe

description	pid	process	target process
PID 776 wrote to memory of 908	776	Product_List_And_Prices.exe	schtasks.exe
PID 776 wrote to memory of 908	776	Product_List_And_Prices.exe	schtasks.exe
PID 776 wrote to memory of 908	776	Product_List_And_Prices.exe	schtasks.exe
PID 776 wrote to memory of 908	776	Product_List_And_Prices.exe	schtasks.exe
PID 776 wrote to memory of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 776 wrote to memory of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 776 wrote to memory of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 776 wrote to memory of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 776 wrote to memory of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 776 wrote to memory of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 776 wrote to memory of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 776 wrote to memory of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 776 wrote to memory of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 776 wrote to memory of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 776 wrote to memory of 1060	776	Product_List_And_Prices.exe	Product_List_And_Prices.exe
PID 1060 wrote to memory of 808	1060	Product_List_And_Prices.exe	WScript.exe
PID 1060 wrote to memory of 808	1060	Product_List_And_Prices.exe	WScript.exe
PID 1060 wrote to memory of 808	1060	Product_List_And_Prices.exe	WScript.exe
PID 1060 wrote to memory of 808	1060	Product_List_And_Prices.exe	WScript.exe
PID 808 wrote to memory of 616	808	WScript.exe	cmd.exe
PID 808 wrote to memory of 616	808	WScript.exe	cmd.exe
PID 808 wrote to memory of 616	808	WScript.exe	cmd.exe
PID 808 wrote to memory of 616	808	WScript.exe	cmd.exe
PID 616 wrote to memory of 1108	616	cmd.exe	remcos.exe
PID 616 wrote to memory of 1108	616	cmd.exe	remcos.exe
PID 616 wrote to memory of 1108	616	cmd.exe	remcos.exe
PID 616 wrote to memory of 1108	616	cmd.exe	remcos.exe
PID 1108 wrote to memory of 1624	1108	remcos.exe	schtasks.exe
PID 1108 wrote to memory of 1624	1108	remcos.exe	schtasks.exe
PID 1108 wrote to memory of 1624	1108	remcos.exe	schtasks.exe
PID 1108 wrote to memory of 1624	1108	remcos.exe	schtasks.exe
PID 1108 wrote to memory of 1508	1108	remcos.exe	remcos.exe
PID 1108 wrote to memory of 1508	1108	remcos.exe	remcos.exe
PID 1108 wrote to memory of 1508	1108	remcos.exe	remcos.exe
PID 1108 wrote to memory of 1508	1108	remcos.exe	remcos.exe
PID 1108 wrote to memory of 1508	1108	remcos.exe	remcos.exe
PID 1108 wrote to memory of 1508	1108	remcos.exe	remcos.exe
PID 1108 wrote to memory of 1508	1108	remcos.exe	remcos.exe
PID 1108 wrote to memory of 1508	1108	remcos.exe	remcos.exe
PID 1108 wrote to memory of 1508	1108	remcos.exe	remcos.exe
PID 1108 wrote to memory of 1508	1108	remcos.exe	remcos.exe
PID 1108 wrote to memory of 1508	1108	remcos.exe	remcos.exe
PID 1508 wrote to memory of 1200	1508	remcos.exe	svchost.exe
PID 1508 wrote to memory of 1200	1508	remcos.exe	svchost.exe
PID 1508 wrote to memory of 1200	1508	remcos.exe	svchost.exe
PID 1508 wrote to memory of 1200	1508	remcos.exe	svchost.exe
PID 1508 wrote to memory of 1200	1508	remcos.exe	svchost.exe
PID 1508 wrote to memory of 1200	1508	remcos.exe	svchost.exe
PID 1508 wrote to memory of 1200	1508	remcos.exe	svchost.exe
PID 1508 wrote to memory of 1200	1508	remcos.exe	svchost.exe
PID 1508 wrote to memory of 1200	1508	remcos.exe	svchost.exe
PID 1508 wrote to memory of 1356	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 1356	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 1356	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 1356	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 964	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 964	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 964	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 964	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 940	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 940	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 940	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 940	1508	remcos.exe	remcos.exe
PID 1508 wrote to memory of 940	1508	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\Product_List_And_Prices.exe
"C:\Users\Admin\AppData\Local\Temp\Product_List_And_Prices.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXyjORiyKl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE273.tmp"
2⤵
- Creates scheduled task(s)
PID:908

C:\Users\Admin\AppData\Local\Temp\Product_List_And_Prices.exe
"C:\Users\Admin\AppData\Local\Temp\Product_List_And_Prices.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXyjORiyKl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA69.tmp"
6⤵
- Creates scheduled task(s)
PID:1624

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1200

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\uorkukixzzrilbbcyqirrnlocxf"
7⤵
PID:1356

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\uorkukixzzrilbbcyqirrnlocxf"
7⤵
PID:964

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\uorkukixzzrilbbcyqirrnlocxf"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\frxdmctznhjnnhpohbvlusffdexljn"
7⤵
PID:676

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\hlkwnvetjpbrxnlsymqmffaomkgmkynbh"
7⤵
PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA69.tmp
MD5
46edb1f2533f9cc409f02e63dcf95b32

SHA1
39967979017061ec80289060d71a118480ed7190

SHA256
0a6d34ba7f0bb6fbf58586fa4e210f2cd27cf565989f88713b6372ac34139d8f

SHA512
918d641f60feab0b6d5179e4bdc180b07f79e3da1d915e2e98c82b9575c12510f20274ff94fec156454ec91e641b89d3a98c18821532a2e4bcac8030f7fa988c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE273.tmp
MD5
46edb1f2533f9cc409f02e63dcf95b32

SHA1
39967979017061ec80289060d71a118480ed7190

SHA256
0a6d34ba7f0bb6fbf58586fa4e210f2cd27cf565989f88713b6372ac34139d8f

SHA512
918d641f60feab0b6d5179e4bdc180b07f79e3da1d915e2e98c82b9575c12510f20274ff94fec156454ec91e641b89d3a98c18821532a2e4bcac8030f7fa988c

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
0f2c421ac61c55b966ebedc48ccf44e4

SHA1
2f3a1098c2b6992c25dfb5e07b3035b42df7f0d9

SHA256
490949068e713c6d3c2fd04b38d00573420b0f5ddf1b61672ffd2bd8ce40cad2

SHA512
bf7e61ce7458db49cc214f9328431d9b1beeeba20348b6bf76deb9aeb9596061f117dda57e8f8a3a3f10ff0799f2ff513ddfcb24aa250aec09b577ae09423efe

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
0f2c421ac61c55b966ebedc48ccf44e4

SHA1
2f3a1098c2b6992c25dfb5e07b3035b42df7f0d9

SHA256
490949068e713c6d3c2fd04b38d00573420b0f5ddf1b61672ffd2bd8ce40cad2

SHA512
bf7e61ce7458db49cc214f9328431d9b1beeeba20348b6bf76deb9aeb9596061f117dda57e8f8a3a3f10ff0799f2ff513ddfcb24aa250aec09b577ae09423efe

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
0f2c421ac61c55b966ebedc48ccf44e4

SHA1
2f3a1098c2b6992c25dfb5e07b3035b42df7f0d9

SHA256
490949068e713c6d3c2fd04b38d00573420b0f5ddf1b61672ffd2bd8ce40cad2

SHA512
bf7e61ce7458db49cc214f9328431d9b1beeeba20348b6bf76deb9aeb9596061f117dda57e8f8a3a3f10ff0799f2ff513ddfcb24aa250aec09b577ae09423efe

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
0f2c421ac61c55b966ebedc48ccf44e4

SHA1
2f3a1098c2b6992c25dfb5e07b3035b42df7f0d9

SHA256
490949068e713c6d3c2fd04b38d00573420b0f5ddf1b61672ffd2bd8ce40cad2

SHA512
bf7e61ce7458db49cc214f9328431d9b1beeeba20348b6bf76deb9aeb9596061f117dda57e8f8a3a3f10ff0799f2ff513ddfcb24aa250aec09b577ae09423efe

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
0f2c421ac61c55b966ebedc48ccf44e4

SHA1
2f3a1098c2b6992c25dfb5e07b3035b42df7f0d9

SHA256
490949068e713c6d3c2fd04b38d00573420b0f5ddf1b61672ffd2bd8ce40cad2

SHA512
bf7e61ce7458db49cc214f9328431d9b1beeeba20348b6bf76deb9aeb9596061f117dda57e8f8a3a3f10ff0799f2ff513ddfcb24aa250aec09b577ae09423efe

Download Submit
memory/616-14-0x0000000000000000-mapping.dmp

Download
memory/632-40-0x000007FEF74B0000-0x000007FEF772A000-memory.dmp

Filesize
2.5MB

Download
memory/776-6-0x0000000004DC0000-0x0000000004E1D000-memory.dmp

Filesize
372KB

Download
memory/776-2-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/776-5-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/776-3-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/808-12-0x0000000000000000-mapping.dmp

Download
memory/808-15-0x0000000002570000-0x0000000002574000-memory.dmp

Filesize
16KB

Download
memory/908-7-0x0000000000000000-mapping.dmp

Download
memory/940-39-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/940-35-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/940-36-0x0000000000476274-mapping.dmp

Download
memory/940-38-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1060-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1060-10-0x0000000000413FA4-mapping.dmp

Download
memory/1060-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1108-21-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1108-20-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/1108-18-0x0000000000000000-mapping.dmp

Download
memory/1200-31-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1200-32-0x00000000004A383E-mapping.dmp

Download
memory/1200-33-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1200-34-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1508-28-0x0000000000413FA4-mapping.dmp

Download
memory/1508-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1624-25-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads