remcos | fe719ecb5f04ed964bd5fdecc2085bdb1518358c65d12462fcddb66a6015740d

General

Target

Shipment Receipt.exe
Size

645KB
MD5

ff18c255222072cfb586481fb1df38e8
SHA1

590ee95cd05e6df3c52c07c308ac081e28f03e1b
SHA256

fe719ecb5f04ed964bd5fdecc2085bdb1518358c65d12462fcddb66a6015740d
SHA512

46c53805c144cc1fef06626c5b1df821f966b9c8c51151676b1d105795059d4de573309da61c3e148a01affff47b4446fca81cab39062c8945273344ce736854

Score

10^/10

remcos rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1720 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Shipment Receipt.exe

pid process

1528 Shipment Receipt.exe

pid	process
1720	schtasks.exe

pid	process
1528	Shipment Receipt.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Shipment Receipt.execmd.exeShipment Receipt.exeShipment Receipt.exeShipment Receipt.exe

description	pid	process	target process
PID 644 wrote to memory of 2044	644	Shipment Receipt.exe	cmd.exe
PID 644 wrote to memory of 2044	644	Shipment Receipt.exe	cmd.exe
PID 644 wrote to memory of 2044	644	Shipment Receipt.exe	cmd.exe
PID 644 wrote to memory of 2044	644	Shipment Receipt.exe	cmd.exe
PID 644 wrote to memory of 1756	644	Shipment Receipt.exe	Shipment Receipt.exe
PID 644 wrote to memory of 1756	644	Shipment Receipt.exe	Shipment Receipt.exe
PID 644 wrote to memory of 1756	644	Shipment Receipt.exe	Shipment Receipt.exe
PID 644 wrote to memory of 1756	644	Shipment Receipt.exe	Shipment Receipt.exe
PID 2044 wrote to memory of 1720	2044	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1720	2044	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1720	2044	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1720	2044	cmd.exe	schtasks.exe
PID 1756 wrote to memory of 1804	1756	Shipment Receipt.exe	Shipment Receipt.exe
PID 1756 wrote to memory of 1804	1756	Shipment Receipt.exe	Shipment Receipt.exe
PID 1756 wrote to memory of 1804	1756	Shipment Receipt.exe	Shipment Receipt.exe
PID 1756 wrote to memory of 1804	1756	Shipment Receipt.exe	Shipment Receipt.exe
PID 1804 wrote to memory of 1492	1804	Shipment Receipt.exe	Shipment Receipt.exe
PID 1804 wrote to memory of 1492	1804	Shipment Receipt.exe	Shipment Receipt.exe
PID 1804 wrote to memory of 1492	1804	Shipment Receipt.exe	Shipment Receipt.exe
PID 1804 wrote to memory of 1492	1804	Shipment Receipt.exe	Shipment Receipt.exe
PID 1492 wrote to memory of 1528	1492	Shipment Receipt.exe	Shipment Receipt.exe
PID 1492 wrote to memory of 1528	1492	Shipment Receipt.exe	Shipment Receipt.exe
PID 1492 wrote to memory of 1528	1492	Shipment Receipt.exe	Shipment Receipt.exe
PID 1492 wrote to memory of 1528	1492	Shipment Receipt.exe	Shipment Receipt.exe

C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\580d4f859ac64ea0a20365f9ab526d67.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\580d4f859ac64ea0a20365f9ab526d67.xml"
3⤵
- Creates scheduled task(s)
PID:1720

C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\580d4f859ac64ea0a20365f9ab526d67.xml
MD5
bbfed1ef65349746ce959650c67698df

SHA1
5471783456e3a6fa3bbbfd7f86baccf14e4611a2

SHA256
c7fab9fa6ed205797af4a2d59f5afc4e0a60d53cddca3a18149e48b0a805381a

SHA512
98c3cda8f89cb3827e6697d0d96148ce4b7c9dfa2c16a219e60ec9d19a11c60e6e1ae1f4aabd49c997e8f5ce1e05235c989c27410559ce42eef3c5a69b9813e1

Download Submit
memory/1492-7-0x0000000000000000-mapping.dmp

Download
memory/1528-8-0x0000000000000000-mapping.dmp

Download
memory/1720-4-0x0000000000000000-mapping.dmp

Download
memory/1756-3-0x0000000000000000-mapping.dmp

Download
memory/1804-6-0x0000000000000000-mapping.dmp

Download
memory/2044-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads