remcos | 5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc

General

Target

QUOTATION.exe
Size

1.1MB
MD5

848bfb3ad0bfdf896826370e1e567fcc
SHA1

54226c763412ca16832d5e11e1d9165c1df13534
SHA256

5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc
SHA512

d3c77db32580cb9c27c6307bd6c4cb568a73dfb7ace91d6d3eec2acfa0ff4fcecc79f6c91e234badf59f15076e692189a5b77ddabbad0105d690a37a491ce85a

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

79.134.225.100:1011

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

Processes:

QUOTATION.exevbc.exe

description	pid	process	target process
PID 828 set thread context of 1192	828	QUOTATION.exe	vbc.exe
PID 1192 set thread context of 3576	1192	vbc.exe	vbc.exe
PID 1192 set thread context of 3976	1192	vbc.exe	vbc.exe
PID 1192 set thread context of 3916	1192	vbc.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3428 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

vbc.exevbc.exe

pid process

3576 vbc.exe
3576 vbc.exe
3976 vbc.exe
3976 vbc.exe
3576 vbc.exe
3576 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 3976 vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1192 vbc.exe

pid	process
3428	schtasks.exe

pid	process
3576	vbc.exe
3576	vbc.exe
3976	vbc.exe
3976	vbc.exe
3576	vbc.exe
3576	vbc.exe

description	pid	process
Token: SeDebugPrivilege	3976	vbc.exe

pid	process
1192	vbc.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

QUOTATION.exevbc.exe

description	pid	process	target process
PID 828 wrote to memory of 3428	828	QUOTATION.exe	schtasks.exe
PID 828 wrote to memory of 3428	828	QUOTATION.exe	schtasks.exe
PID 828 wrote to memory of 3428	828	QUOTATION.exe	schtasks.exe
PID 828 wrote to memory of 1192	828	QUOTATION.exe	vbc.exe
PID 828 wrote to memory of 1192	828	QUOTATION.exe	vbc.exe
PID 828 wrote to memory of 1192	828	QUOTATION.exe	vbc.exe
PID 828 wrote to memory of 1192	828	QUOTATION.exe	vbc.exe
PID 828 wrote to memory of 1192	828	QUOTATION.exe	vbc.exe
PID 828 wrote to memory of 1192	828	QUOTATION.exe	vbc.exe
PID 828 wrote to memory of 1192	828	QUOTATION.exe	vbc.exe
PID 828 wrote to memory of 1192	828	QUOTATION.exe	vbc.exe
PID 828 wrote to memory of 1192	828	QUOTATION.exe	vbc.exe
PID 828 wrote to memory of 1192	828	QUOTATION.exe	vbc.exe
PID 1192 wrote to memory of 3632	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3632	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3632	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3576	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3576	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3576	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3576	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3576	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3576	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3576	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3576	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3976	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3976	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3976	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3976	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3976	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3976	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3976	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3976	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3916	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3916	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3916	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3916	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3916	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3916	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3916	1192	vbc.exe	vbc.exe
PID 1192 wrote to memory of 3916	1192	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uSaartra" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF76.tmp"
2⤵
- Creates scheduled task(s)
PID:3428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\haxm"
3⤵
PID:3632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\haxm"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\jdcfbhg"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\uxhxcarsoct"
3⤵
PID:3916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\haxm
MD5
814b5ce4cad79d36055d2d4b5958cc31

SHA1
2a06a869615f0858479371b0415899681fb0c7d8

SHA256
6d1fa1a75faec2b39e8a2a1df8dd0f15e5256de7da7c527225ecf22fdacaf559

SHA512
a82fa1594ccbe1df93a973a01c787a6baa0ce8a97c0b0b0a844c90cb6be092b1094636b4d88c568fece95cd9bdfe4412875011abe318373a4fcfc218f93d1278

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF76.tmp
MD5
1bd1a7bec194c3566543dda2d178ffdb

SHA1
e359294e3eb2de840eb4de6dae3d8df03634b96d

SHA256
346a6de71e129b0b600128e93f0b8361a90402cfba84a8bd65ee5bb14b673fc0

SHA512
60b147daf106d1d48bd420ffe0d8aed42afc5f3c1fb2e4b1650459caf91e8938623a45bec21bd594bbe5b0adf305a4e1a329846004f1ab70c465a82e4fc04ba2

Download Submit
memory/828-9-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/828-6-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/828-7-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/828-8-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/828-2-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/828-10-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/828-11-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/828-12-0x0000000004F70000-0x0000000004F83000-memory.dmp

Filesize
76KB

Download
memory/828-13-0x0000000005AC0000-0x0000000005B64000-memory.dmp

Filesize
656KB

Download
memory/828-5-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/828-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1192-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1192-17-0x0000000000413FA4-mapping.dmp

Download
memory/1192-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3428-14-0x0000000000000000-mapping.dmp

Download
memory/3576-19-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3576-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3576-20-0x0000000000476274-mapping.dmp

Download
memory/3916-27-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3916-24-0x0000000000455238-mapping.dmp

Download
memory/3916-23-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3976-22-0x0000000000422206-mapping.dmp

Download
memory/3976-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3976-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads