remcos | 5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc

General

Target

QUOTATION.exe
Size

1.1MB
MD5

848bfb3ad0bfdf896826370e1e567fcc
SHA1

54226c763412ca16832d5e11e1d9165c1df13534
SHA256

5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc
SHA512

d3c77db32580cb9c27c6307bd6c4cb568a73dfb7ace91d6d3eec2acfa0ff4fcecc79f6c91e234badf59f15076e692189a5b77ddabbad0105d690a37a491ce85a

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

79.134.225.100:1011

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

Processes:

QUOTATION.exevbc.exe

description	pid	process	target process
PID 1904 set thread context of 1192	1904	QUOTATION.exe	vbc.exe
PID 1192 set thread context of 1488	1192	vbc.exe	vbc.exe
PID 1192 set thread context of 1900	1192	vbc.exe	vbc.exe
PID 1192 set thread context of 1352	1192	vbc.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

268 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

1488 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1900 vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1192 vbc.exe

pid	process
268	schtasks.exe

pid	process
1488	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1900	vbc.exe

pid	process
1192	vbc.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

QUOTATION.exevbc.exe

description	pid	process	target process
PID 1904 wrote to memory of 268	1904	QUOTATION.exe	schtasks.exe
PID 1904 wrote to memory of 268	1904	QUOTATION.exe	schtasks.exe
PID 1904 wrote to memory of 268	1904	QUOTATION.exe	schtasks.exe
PID 1904 wrote to memory of 268	1904	QUOTATION.exe	schtasks.exe
PID 1904 wrote to memory of 1192	1904	QUOTATION.exe	vbc.exe
PID 1904 wrote to memory of 1192	1904	QUOTATION.exe	vbc.exe
PID 1904 wrote to memory of 1192	1904	QUOTATION.exe	vbc.exe
PID 1904 wrote to memory of 1192	1904	QUOTATION.exe	vbc.exe
PID 1904 wrote to memory of 1192	1904	QUOTATION.exe	vbc.exe
PID 1904 wrote to memory of 1192	1904	QUOTATION.exe	vbc.exe
PID 1904 wrote to memory of 1192	1904	QUOTATION.exe	vbc.exe
PID 1904 wrote to memory of 1192	1904	QUOTATION.exe	vbc.exe
PID 1904 wrote to memory of 1192	1904	QUOTATION.exe	vbc.exe
PID 1904 wrote to memory of 1192	1904	QUOTATION.exe	vbc.exe
PID 1904 wrote to memory of 1192	1904	QUOTATION.exe	vbc.exe
PID 1192 wrote to memory of 1488	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1488	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1488	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1488	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1488	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1488	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1488	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1488	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1488	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1900	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1900	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1900	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1900	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1900	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1900	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1900	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1900	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1900	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1352	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1352	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1352	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1352	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1352	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1352	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1352	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1352	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 1352	1192	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uSaartra" /XML "C:\Users\Admin\AppData\Local\Temp\tmp94D0.tmp"
2⤵
- Creates scheduled task(s)
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\ynkeaffxkohwujfmzyfxla"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\appptxpqywzjextqiizroezmo"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\ljuhtqasmerogepuztmszrlvowgae"
3⤵
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp94D0.tmp
MD5
fd4a12173c39cd24837c3c749504925b

SHA1
8b7cf51f91f7b3a317fbbc6f769fd1f4eca9188e

SHA256
b97d7aaaee033ddb1c0936f96eea81b89d8c8d5073be107647e2403bced9a7b0

SHA512
90409daee288083ddfc129ca121b11b02ecf7ca38d8558d18acb3dc35450004001ce9ed4c6547147da0523b8966ab918cc98b78ec9c8f788119962d0be074ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynkeaffxkohwujfmzyfxla
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/268-8-0x0000000000000000-mapping.dmp

Download
memory/868-23-0x000007FEF7730000-0x000007FEF79AA000-memory.dmp

Filesize
2.5MB

Download
memory/1192-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1192-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1192-11-0x0000000000413FA4-mapping.dmp

Download
memory/1192-12-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1352-20-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1352-27-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1352-21-0x0000000000455238-mapping.dmp

Download
memory/1488-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1488-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1488-15-0x0000000000476274-mapping.dmp

Download
memory/1900-18-0x0000000000422206-mapping.dmp

Download
memory/1900-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1900-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1904-7-0x0000000004900000-0x00000000049A4000-memory.dmp

Filesize
656KB

Download
memory/1904-5-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1904-3-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1904-2-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/1904-6-0x00000000007B0000-0x00000000007C3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads