remcos | 2a451883bcabf318c2d3acc4b2259716c744a76cda9a68b5798dfc157f94e8cb

General

Target

originalcopy2021_pdf.exe
Size

845KB
MD5

96038a49c8581a2e6c32b9f87c781c68
SHA1

3a9a2ceceafd02a16c5e76674007973b8d34a71a
SHA256

2a451883bcabf318c2d3acc4b2259716c744a76cda9a68b5798dfc157f94e8cb
SHA512

ce2eaa5f871ab0ce7f72493e9df1c4feccd994bca46fef3b6fdfd7e34531a729e64e725159de905854414eaa739dafce10355abbfd2b3bf3266cedd824e731bc

Score

10^/10

remcos rat

Family

remcos

C2

96.9.246.149:2024

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

originalcopy2021_pdf.exe

description pid process target process

PID 860 set thread context of 2984 860 originalcopy2021_pdf.exe originalcopy2021_pdf.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

originalcopy2021_pdf.exe

pid process

860 originalcopy2021_pdf.exe
860 originalcopy2021_pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

originalcopy2021_pdf.exe

description pid process

Token: SeDebugPrivilege 860 originalcopy2021_pdf.exe

description	pid	process	target process
PID 860 set thread context of 2984	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe

pid	process
860	originalcopy2021_pdf.exe
860	originalcopy2021_pdf.exe

description	pid	process
Token: SeDebugPrivilege	860	originalcopy2021_pdf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

originalcopy2021_pdf.exe

description	pid	process	target process
PID 860 wrote to memory of 3856	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 3856	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 3856	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 2984	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 2984	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 2984	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 2984	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 2984	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 2984	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 2984	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 2984	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 2984	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe
PID 860 wrote to memory of 2984	860	originalcopy2021_pdf.exe	originalcopy2021_pdf.exe

C:\Users\Admin\AppData\Local\Temp\originalcopy2021_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\originalcopy2021_pdf.exe"
2⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\originalcopy2021_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\originalcopy2021_pdf.exe"
2⤵
PID:2984

memory/860-2-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/860-3-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/860-5-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/860-6-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/860-7-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/860-8-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/860-9-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/860-10-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/860-11-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/860-12-0x0000000005C50000-0x0000000005CA8000-memory.dmp

Filesize
352KB

Download
memory/2984-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2984-14-0x0000000000413FA4-mapping.dmp

Download
memory/2984-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download