remcos | c363769d3d6ae833d71203a5a678ad04349404eae3788865fcdb706c3c7543b0

General

Target

Lists.exe
Size

799KB
MD5

c715a5419ed1ece6e2051e35d3674cc3
SHA1

98e8a74c315b42b88e73129108d5ad338c888124
SHA256

c363769d3d6ae833d71203a5a678ad04349404eae3788865fcdb706c3c7543b0
SHA512

1cbec375fff5500f8247c4be30b6aa15de47ab73b7d914036c76b05ca9db6eb89aad21f1d45fe955c068a8df94393d34a1b88c2fc159340b72759c0dfa93983d

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

185.140.53.136:1818

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

remcos.exeremcos.exeremcos.exe

pid process

2756 remcos.exe
4076 remcos.exe
1124 remcos.exe

pid	process
2756	remcos.exe
4076	remcos.exe
1124	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Lists.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Lists.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	Lists.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3412 schtasks.exe
Modifies registry class 1 IoCs

Processes:

Lists.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings Lists.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1124 remcos.exe

pid	process
3412	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Lists.exe

pid	process
1124	remcos.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Lists.execmd.exeWScript.execmd.exeremcos.exeremcos.exe

description	pid	process	target process
PID 4032 wrote to memory of 3876	4032	Lists.exe	cmd.exe
PID 4032 wrote to memory of 3876	4032	Lists.exe	cmd.exe
PID 4032 wrote to memory of 3876	4032	Lists.exe	cmd.exe
PID 3876 wrote to memory of 3412	3876	cmd.exe	schtasks.exe
PID 3876 wrote to memory of 3412	3876	cmd.exe	schtasks.exe
PID 3876 wrote to memory of 3412	3876	cmd.exe	schtasks.exe
PID 4032 wrote to memory of 3520	4032	Lists.exe	WScript.exe
PID 4032 wrote to memory of 3520	4032	Lists.exe	WScript.exe
PID 4032 wrote to memory of 3520	4032	Lists.exe	WScript.exe
PID 3520 wrote to memory of 2328	3520	WScript.exe	cmd.exe
PID 3520 wrote to memory of 2328	3520	WScript.exe	cmd.exe
PID 3520 wrote to memory of 2328	3520	WScript.exe	cmd.exe
PID 2328 wrote to memory of 2756	2328	cmd.exe	remcos.exe
PID 2328 wrote to memory of 2756	2328	cmd.exe	remcos.exe
PID 2328 wrote to memory of 2756	2328	cmd.exe	remcos.exe
PID 2756 wrote to memory of 4076	2756	remcos.exe	remcos.exe
PID 2756 wrote to memory of 4076	2756	remcos.exe	remcos.exe
PID 2756 wrote to memory of 4076	2756	remcos.exe	remcos.exe
PID 4076 wrote to memory of 1124	4076	remcos.exe	remcos.exe
PID 4076 wrote to memory of 1124	4076	remcos.exe	remcos.exe
PID 4076 wrote to memory of 1124	4076	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\Lists.exe
"C:\Users\Admin\AppData\Local\Temp\Lists.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN systemfiles64 /XML "C:\Users\Admin\AppData\Local\Temp\1ade0704ac3e4fb2ba15d56f097cccb0.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN systemfiles64 /XML "C:\Users\Admin\AppData\Local\Temp\1ade0704ac3e4fb2ba15d56f097cccb0.xml"
3⤵
- Creates scheduled task(s)
PID:3412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ade0704ac3e4fb2ba15d56f097cccb0.xml
MD5
b8297b9885dfbe0c3f79de5aa77f1a7f

SHA1
a835decd0fbed45a1fb6af26d3c246c7ad33504e

SHA256
3c54acaf0f39edb064298d219a245c7c9e47435163687075908a634045f7df7d

SHA512
afbbe137bac371ec0adcbdb38bc53218f25d144930d04036208a11dc17a5524f0a7a4a6b809365b84146cc997c76b7c0ecc674a87a697ecb15c26fba53e49c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
c715a5419ed1ece6e2051e35d3674cc3

SHA1
98e8a74c315b42b88e73129108d5ad338c888124

SHA256
c363769d3d6ae833d71203a5a678ad04349404eae3788865fcdb706c3c7543b0

SHA512
1cbec375fff5500f8247c4be30b6aa15de47ab73b7d914036c76b05ca9db6eb89aad21f1d45fe955c068a8df94393d34a1b88c2fc159340b72759c0dfa93983d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
c715a5419ed1ece6e2051e35d3674cc3

SHA1
98e8a74c315b42b88e73129108d5ad338c888124

SHA256
c363769d3d6ae833d71203a5a678ad04349404eae3788865fcdb706c3c7543b0

SHA512
1cbec375fff5500f8247c4be30b6aa15de47ab73b7d914036c76b05ca9db6eb89aad21f1d45fe955c068a8df94393d34a1b88c2fc159340b72759c0dfa93983d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
c715a5419ed1ece6e2051e35d3674cc3

SHA1
98e8a74c315b42b88e73129108d5ad338c888124

SHA256
c363769d3d6ae833d71203a5a678ad04349404eae3788865fcdb706c3c7543b0

SHA512
1cbec375fff5500f8247c4be30b6aa15de47ab73b7d914036c76b05ca9db6eb89aad21f1d45fe955c068a8df94393d34a1b88c2fc159340b72759c0dfa93983d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
c715a5419ed1ece6e2051e35d3674cc3

SHA1
98e8a74c315b42b88e73129108d5ad338c888124

SHA256
c363769d3d6ae833d71203a5a678ad04349404eae3788865fcdb706c3c7543b0

SHA512
1cbec375fff5500f8247c4be30b6aa15de47ab73b7d914036c76b05ca9db6eb89aad21f1d45fe955c068a8df94393d34a1b88c2fc159340b72759c0dfa93983d

Download Submit
memory/1124-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1124-14-0x0000000000000000-mapping.dmp

Download
memory/2328-8-0x0000000000000000-mapping.dmp

Download
memory/2756-9-0x0000000000000000-mapping.dmp

Download
memory/3412-3-0x0000000000000000-mapping.dmp

Download
memory/3520-5-0x0000000000000000-mapping.dmp

Download
memory/3876-2-0x0000000000000000-mapping.dmp

Download
memory/4032-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4076-12-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads