remcos | defe000395c5932a94450bd21a142a954d5113da26ee5127e8cab0980a62b042

General

Target

TASK RFQ TK011521.exe
Size

901KB
MD5

9618ffdc9d54fb0d153fb47e7e323983
SHA1

c3da94a42035f6b913ea6cd2b2e477bd8a71787d
SHA256

defe000395c5932a94450bd21a142a954d5113da26ee5127e8cab0980a62b042
SHA512

67cbb8bb38278b3c6fbf974092cc77b7d17902c89a6d09d5ece7f84f7eda259b28f7ba9362f4c1a111b0d7b1205724a8d7ff21d2ca599d1eeafc0b6032fc435e

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

jackpiaau.duckdns.org:4902

ihechi.ddns.net:4902

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

TASK RFQ TK011521.exe

description pid process target process

PID 1936 set thread context of 348 1936 TASK RFQ TK011521.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1088 schtasks.exe

description	pid	process	target process
PID 1936 set thread context of 348	1936	TASK RFQ TK011521.exe	vbc.exe

pid	process
1088	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

TASK RFQ TK011521.exe

description	pid	process	target process
PID 1936 wrote to memory of 1088	1936	TASK RFQ TK011521.exe	schtasks.exe
PID 1936 wrote to memory of 1088	1936	TASK RFQ TK011521.exe	schtasks.exe
PID 1936 wrote to memory of 1088	1936	TASK RFQ TK011521.exe	schtasks.exe
PID 1936 wrote to memory of 1088	1936	TASK RFQ TK011521.exe	schtasks.exe
PID 1936 wrote to memory of 348	1936	TASK RFQ TK011521.exe	vbc.exe
PID 1936 wrote to memory of 348	1936	TASK RFQ TK011521.exe	vbc.exe
PID 1936 wrote to memory of 348	1936	TASK RFQ TK011521.exe	vbc.exe
PID 1936 wrote to memory of 348	1936	TASK RFQ TK011521.exe	vbc.exe
PID 1936 wrote to memory of 348	1936	TASK RFQ TK011521.exe	vbc.exe
PID 1936 wrote to memory of 348	1936	TASK RFQ TK011521.exe	vbc.exe
PID 1936 wrote to memory of 348	1936	TASK RFQ TK011521.exe	vbc.exe
PID 1936 wrote to memory of 348	1936	TASK RFQ TK011521.exe	vbc.exe
PID 1936 wrote to memory of 348	1936	TASK RFQ TK011521.exe	vbc.exe
PID 1936 wrote to memory of 348	1936	TASK RFQ TK011521.exe	vbc.exe
PID 1936 wrote to memory of 348	1936	TASK RFQ TK011521.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\TASK RFQ TK011521.exe
"C:\Users\Admin\AppData\Local\Temp\TASK RFQ TK011521.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wUDszCxvqV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp476C.tmp"
2⤵
- Creates scheduled task(s)
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp476C.tmp
MD5
f6f2114c3f4e96edcd6f9538aabbae34

SHA1
2712bfb8fcfc2da0658292ac1cf10dea5563b47c

SHA256
c52403d1e2d5a57648c2e3d9b3e7c2b09b4128e5779fb1977570d5c23e720419

SHA512
92e05bd481844f80bacc1f3440af2b3248b1eb22dcc1f3bddb156fa037dfb3630e9cba8df86af0906eefc6ec01776c9bdfe8e20f2ba62be5de12c54bab28ecb2

Download Submit
memory/348-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/348-10-0x0000000000413FA4-mapping.dmp

Download
memory/348-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1088-7-0x0000000000000000-mapping.dmp

Download
memory/1936-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1936-3-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/1936-5-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/1936-6-0x0000000001320000-0x0000000001378000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads