remcos | defe000395c5932a94450bd21a142a954d5113da26ee5127e8cab0980a62b042

General

Target

TASK RFQ TK011521.exe
Size

901KB
MD5

9618ffdc9d54fb0d153fb47e7e323983
SHA1

c3da94a42035f6b913ea6cd2b2e477bd8a71787d
SHA256

defe000395c5932a94450bd21a142a954d5113da26ee5127e8cab0980a62b042
SHA512

67cbb8bb38278b3c6fbf974092cc77b7d17902c89a6d09d5ece7f84f7eda259b28f7ba9362f4c1a111b0d7b1205724a8d7ff21d2ca599d1eeafc0b6032fc435e

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

jackpiaau.duckdns.org:4902

ihechi.ddns.net:4902

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

TASK RFQ TK011521.exe

description pid process target process

PID 2432 set thread context of 3124 2432 TASK RFQ TK011521.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3616 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

TASK RFQ TK011521.exe

pid process

2432 TASK RFQ TK011521.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TASK RFQ TK011521.exe

description pid process

Token: SeDebugPrivilege 2432 TASK RFQ TK011521.exe

description	pid	process	target process
PID 2432 set thread context of 3124	2432	TASK RFQ TK011521.exe	vbc.exe

pid	process
3616	schtasks.exe

pid	process
2432	TASK RFQ TK011521.exe

description	pid	process
Token: SeDebugPrivilege	2432	TASK RFQ TK011521.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

TASK RFQ TK011521.exe

description	pid	process	target process
PID 2432 wrote to memory of 3616	2432	TASK RFQ TK011521.exe	schtasks.exe
PID 2432 wrote to memory of 3616	2432	TASK RFQ TK011521.exe	schtasks.exe
PID 2432 wrote to memory of 3616	2432	TASK RFQ TK011521.exe	schtasks.exe
PID 2432 wrote to memory of 3124	2432	TASK RFQ TK011521.exe	vbc.exe
PID 2432 wrote to memory of 3124	2432	TASK RFQ TK011521.exe	vbc.exe
PID 2432 wrote to memory of 3124	2432	TASK RFQ TK011521.exe	vbc.exe
PID 2432 wrote to memory of 3124	2432	TASK RFQ TK011521.exe	vbc.exe
PID 2432 wrote to memory of 3124	2432	TASK RFQ TK011521.exe	vbc.exe
PID 2432 wrote to memory of 3124	2432	TASK RFQ TK011521.exe	vbc.exe
PID 2432 wrote to memory of 3124	2432	TASK RFQ TK011521.exe	vbc.exe
PID 2432 wrote to memory of 3124	2432	TASK RFQ TK011521.exe	vbc.exe
PID 2432 wrote to memory of 3124	2432	TASK RFQ TK011521.exe	vbc.exe
PID 2432 wrote to memory of 3124	2432	TASK RFQ TK011521.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\TASK RFQ TK011521.exe
"C:\Users\Admin\AppData\Local\Temp\TASK RFQ TK011521.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wUDszCxvqV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC88.tmp"
2⤵
- Creates scheduled task(s)
PID:3616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCC88.tmp
MD5
c7e77e095f2ca1ade7372e83ae8e0117

SHA1
d617fe4e9b171eb0e7b212a246aeabb99e09702b

SHA256
b39d8d0dc53a7bc46f007e8991638291cd0213ed91c0256a3eb0e18d4f4e36c7

SHA512
6efb0aba58a1ae149c0e587485fe4d041425f5958c59fe9e24d589c828db1d46aa4c3f13c20eb46c1f21960efeded21a7cab9fe15e990add8e6a953a8fc448cf

Download Submit
memory/2432-9-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/2432-5-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/2432-6-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/2432-7-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/2432-8-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/2432-2-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-10-0x0000000005990000-0x00000000059A2000-memory.dmp

Filesize
72KB

Download
memory/2432-11-0x0000000006570000-0x00000000065C8000-memory.dmp

Filesize
352KB

Download
memory/2432-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3124-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3124-15-0x0000000000413FA4-mapping.dmp

Download
memory/3124-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3616-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads