remcos | c55d612d19305f4d4cc486f3129d64fd25bfcb58725b18bfb4c8a9e002c0b651

General

Target

ir_exe.exe
Size

657KB
MD5

de43b3e46361b3522be35d19af67db4d
SHA1

6009ec1f95be87abf4b379aaa089095c1a148886
SHA256

c55d612d19305f4d4cc486f3129d64fd25bfcb58725b18bfb4c8a9e002c0b651
SHA512

dbcd668d1dd5859bf1abdab9f3d9bb4094f99c66f656c76dadd5906e2b53be3be54087b6b54a91aa9bfad1f003d5196c922cf482dd0824ed69c3b96418ea56cd

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

5.181.166.25:27350

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

ir_exe.exe

description pid process target process

PID 540 set thread context of 3980 540 ir_exe.exe ir_exe.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2312 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ir_exe.exe

pid process

3980 ir_exe.exe

description	pid	process	target process
PID 540 set thread context of 3980	540	ir_exe.exe	ir_exe.exe

pid	process
2312	schtasks.exe

pid	process
3980	ir_exe.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ir_exe.exe

description	pid	process	target process
PID 540 wrote to memory of 2312	540	ir_exe.exe	schtasks.exe
PID 540 wrote to memory of 2312	540	ir_exe.exe	schtasks.exe
PID 540 wrote to memory of 2312	540	ir_exe.exe	schtasks.exe
PID 540 wrote to memory of 3980	540	ir_exe.exe	ir_exe.exe
PID 540 wrote to memory of 3980	540	ir_exe.exe	ir_exe.exe
PID 540 wrote to memory of 3980	540	ir_exe.exe	ir_exe.exe
PID 540 wrote to memory of 3980	540	ir_exe.exe	ir_exe.exe
PID 540 wrote to memory of 3980	540	ir_exe.exe	ir_exe.exe
PID 540 wrote to memory of 3980	540	ir_exe.exe	ir_exe.exe
PID 540 wrote to memory of 3980	540	ir_exe.exe	ir_exe.exe
PID 540 wrote to memory of 3980	540	ir_exe.exe	ir_exe.exe
PID 540 wrote to memory of 3980	540	ir_exe.exe	ir_exe.exe
PID 540 wrote to memory of 3980	540	ir_exe.exe	ir_exe.exe

C:\Users\Admin\AppData\Local\Temp\ir_exe.exe
"C:\Users\Admin\AppData\Local\Temp\ir_exe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QEZTeXwcCq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3951.tmp"
2⤵
- Creates scheduled task(s)
PID:2312

C:\Users\Admin\AppData\Local\Temp\ir_exe.exe
"C:\Users\Admin\AppData\Local\Temp\ir_exe.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3951.tmp
MD5
6c9abc40750005ce38e38eb515971579

SHA1
0cfa6b1e190de24e6d5a54d3478ac035eb909da6

SHA256
eeb18597190fc59b1ab95682dc3f0ec424c135a14e3172611b03a73be9e26d73

SHA512
cac434d8a5b356ef402af02e075193cf3064f6d30f836da283cb646cbf4725b6349f70c7eaaebb610f3bd36dd165fb5c51c199d8618a7a5442619583b6aa41cd

Download Submit
memory/540-9-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/540-5-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/540-6-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/540-7-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/540-8-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/540-2-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/540-10-0x0000000005300000-0x0000000005312000-memory.dmp

Filesize
72KB

Download
memory/540-11-0x0000000005E60000-0x0000000005EBE000-memory.dmp

Filesize
376KB

Download
memory/540-3-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2312-12-0x0000000000000000-mapping.dmp

Download
memory/3980-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3980-15-0x0000000000413FA4-mapping.dmp

Download
memory/3980-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads