remcos | 721059bc4edd6685620382cf7c1f86f95f8b20317e4bb22d0e8d364705f73c2e

General

Target

QUOTATION 18 1 2021.exe
Size

1011KB
MD5

86bf1b4b8a10cbad324603bdfe946f90
SHA1

efa4298cbc45052986d42c59564ff37b56a61925
SHA256

721059bc4edd6685620382cf7c1f86f95f8b20317e4bb22d0e8d364705f73c2e
SHA512

78ed2a27fd6496f34314ba2b32e3d37d2f6dd2ac32fd5ec932865087ae2a622ca3dac4e2ae8db69bc014d805f39d6cf2e16edaf654e07d276e355d6c0bd2a106

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

79.134.225.100:1011

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

QUOTATION 18 1 2021.exe

description pid process target process

PID 776 set thread context of 1512 776 QUOTATION 18 1 2021.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

268 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1512 vbc.exe

description	pid	process	target process
PID 776 set thread context of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe

pid	process
268	schtasks.exe

pid	process
1512	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

QUOTATION 18 1 2021.exe

description	pid	process	target process
PID 776 wrote to memory of 268	776	QUOTATION 18 1 2021.exe	schtasks.exe
PID 776 wrote to memory of 268	776	QUOTATION 18 1 2021.exe	schtasks.exe
PID 776 wrote to memory of 268	776	QUOTATION 18 1 2021.exe	schtasks.exe
PID 776 wrote to memory of 268	776	QUOTATION 18 1 2021.exe	schtasks.exe
PID 776 wrote to memory of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe
PID 776 wrote to memory of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe
PID 776 wrote to memory of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe
PID 776 wrote to memory of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe
PID 776 wrote to memory of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe
PID 776 wrote to memory of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe
PID 776 wrote to memory of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe
PID 776 wrote to memory of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe
PID 776 wrote to memory of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe
PID 776 wrote to memory of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe
PID 776 wrote to memory of 1512	776	QUOTATION 18 1 2021.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION 18 1 2021.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION 18 1 2021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dqRqOTc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp957C.tmp"
2⤵
- Creates scheduled task(s)
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp957C.tmp
MD5
52fea57eddd02a6e6e664b2a8c1ddcc3

SHA1
e99495ff75cbe4361baa0ddcd39c86e2de48150b

SHA256
a4c614807c10d60d3b82bc6e8522bfc22a17bb52997caf883903fddc33bb158e

SHA512
3e9d1dbb321dd6d294976926f4d18e281aa6c0b24137b3395215d5bf8eb6bf46aee5dfb3dd9470b468f9b67e7d060f63cd78fe9d06aa87a9e54848cdef4ccc84

Download Submit
memory/268-8-0x0000000000000000-mapping.dmp

Download
memory/776-2-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/776-3-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/776-5-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/776-6-0x0000000000410000-0x0000000000423000-memory.dmp

Filesize
76KB

Download
memory/776-7-0x0000000002440000-0x00000000024DF000-memory.dmp

Filesize
636KB

Download
memory/1512-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1512-11-0x0000000000413FA4-mapping.dmp

Download
memory/1512-12-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1512-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads