remcos | 721059bc4edd6685620382cf7c1f86f95f8b20317e4bb22d0e8d364705f73c2e

General

Target

QUOTATION 18 1 2021.exe
Size

1011KB
MD5

86bf1b4b8a10cbad324603bdfe946f90
SHA1

efa4298cbc45052986d42c59564ff37b56a61925
SHA256

721059bc4edd6685620382cf7c1f86f95f8b20317e4bb22d0e8d364705f73c2e
SHA512

78ed2a27fd6496f34314ba2b32e3d37d2f6dd2ac32fd5ec932865087ae2a622ca3dac4e2ae8db69bc014d805f39d6cf2e16edaf654e07d276e355d6c0bd2a106

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

79.134.225.100:1011

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

QUOTATION 18 1 2021.exe

description pid process target process

PID 4712 set thread context of 4372 4712 QUOTATION 18 1 2021.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1864 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

4372 vbc.exe

description	pid	process	target process
PID 4712 set thread context of 4372	4712	QUOTATION 18 1 2021.exe	vbc.exe

pid	process
1864	schtasks.exe

pid	process
4372	vbc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

QUOTATION 18 1 2021.exe

description	pid	process	target process
PID 4712 wrote to memory of 1864	4712	QUOTATION 18 1 2021.exe	schtasks.exe
PID 4712 wrote to memory of 1864	4712	QUOTATION 18 1 2021.exe	schtasks.exe
PID 4712 wrote to memory of 1864	4712	QUOTATION 18 1 2021.exe	schtasks.exe
PID 4712 wrote to memory of 4372	4712	QUOTATION 18 1 2021.exe	vbc.exe
PID 4712 wrote to memory of 4372	4712	QUOTATION 18 1 2021.exe	vbc.exe
PID 4712 wrote to memory of 4372	4712	QUOTATION 18 1 2021.exe	vbc.exe
PID 4712 wrote to memory of 4372	4712	QUOTATION 18 1 2021.exe	vbc.exe
PID 4712 wrote to memory of 4372	4712	QUOTATION 18 1 2021.exe	vbc.exe
PID 4712 wrote to memory of 4372	4712	QUOTATION 18 1 2021.exe	vbc.exe
PID 4712 wrote to memory of 4372	4712	QUOTATION 18 1 2021.exe	vbc.exe
PID 4712 wrote to memory of 4372	4712	QUOTATION 18 1 2021.exe	vbc.exe
PID 4712 wrote to memory of 4372	4712	QUOTATION 18 1 2021.exe	vbc.exe
PID 4712 wrote to memory of 4372	4712	QUOTATION 18 1 2021.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION 18 1 2021.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION 18 1 2021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dqRqOTc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB43D.tmp"
2⤵
- Creates scheduled task(s)
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB43D.tmp
MD5
042d030f6fd63e4992b02f6484cd9fca

SHA1
f82ce2009c86a7348ccb796ee34d1942a517c3ff

SHA256
08d2f5c756144479d57ce3d60ec00d279302d476af190d445957dc17cd9fae58

SHA512
fb687cd8eec587f65f2c19bb4ef4ee1587d80bbd33006b1730e5ef422a1ccd3f983462e3842178ea9867ef751264925c27ee3c1f8d3e2501cb641d76a5ef5642

Download Submit
memory/1864-13-0x0000000000000000-mapping.dmp

Download
memory/4372-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4372-16-0x0000000000413FA4-mapping.dmp

Download
memory/4372-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4712-9-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/4712-2-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/4712-10-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/4712-11-0x0000000005AE0000-0x0000000005AF3000-memory.dmp

Filesize
76KB

Download
memory/4712-12-0x00000000016D0000-0x000000000176F000-memory.dmp

Filesize
636KB

Download
memory/4712-8-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/4712-7-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/4712-6-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/4712-5-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/4712-3-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads