remcos | b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

General

Target

9d84e2e5d8e18157f7da91393112d8ad.exe
Size

762KB
MD5

9d84e2e5d8e18157f7da91393112d8ad
SHA1

77df25a58864a22c423d31644e635e2f075bbe87
SHA256

b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc
SHA512

a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

megamoney2021.duckdns.org:26500

79.134.225.13:26500

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

update.exeupdate.exe

pid process

112 update.exe
1168 update.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exeupdate.exe

pid process

436 cmd.exe
112 update.exe

pid	process
112	update.exe
1168	update.exe

pid	process
436	cmd.exe
112	update.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9d84e2e5d8e18157f7da91393112d8ad.exeupdate.exe

description	pid	process	target process
PID 1076 set thread context of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 112 set thread context of 1168	112	update.exe	update.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

536 schtasks.exe
1332 schtasks.exe

pid	process
536	schtasks.exe
1332	schtasks.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

9d84e2e5d8e18157f7da91393112d8ad.exe9d84e2e5d8e18157f7da91393112d8ad.exeWScript.execmd.exeupdate.exe

description	pid	process	target process
PID 1076 wrote to memory of 536	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	schtasks.exe
PID 1076 wrote to memory of 536	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	schtasks.exe
PID 1076 wrote to memory of 536	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	schtasks.exe
PID 1076 wrote to memory of 536	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	schtasks.exe
PID 1076 wrote to memory of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 1076 wrote to memory of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 1076 wrote to memory of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 1076 wrote to memory of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 1076 wrote to memory of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 1076 wrote to memory of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 1076 wrote to memory of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 1076 wrote to memory of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 1076 wrote to memory of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 1076 wrote to memory of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 1076 wrote to memory of 1348	1076	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 1348 wrote to memory of 876	1348	9d84e2e5d8e18157f7da91393112d8ad.exe	WScript.exe
PID 1348 wrote to memory of 876	1348	9d84e2e5d8e18157f7da91393112d8ad.exe	WScript.exe
PID 1348 wrote to memory of 876	1348	9d84e2e5d8e18157f7da91393112d8ad.exe	WScript.exe
PID 1348 wrote to memory of 876	1348	9d84e2e5d8e18157f7da91393112d8ad.exe	WScript.exe
PID 876 wrote to memory of 436	876	WScript.exe	cmd.exe
PID 876 wrote to memory of 436	876	WScript.exe	cmd.exe
PID 876 wrote to memory of 436	876	WScript.exe	cmd.exe
PID 876 wrote to memory of 436	876	WScript.exe	cmd.exe
PID 436 wrote to memory of 112	436	cmd.exe	update.exe
PID 436 wrote to memory of 112	436	cmd.exe	update.exe
PID 436 wrote to memory of 112	436	cmd.exe	update.exe
PID 436 wrote to memory of 112	436	cmd.exe	update.exe
PID 436 wrote to memory of 112	436	cmd.exe	update.exe
PID 436 wrote to memory of 112	436	cmd.exe	update.exe
PID 436 wrote to memory of 112	436	cmd.exe	update.exe
PID 112 wrote to memory of 1332	112	update.exe	schtasks.exe
PID 112 wrote to memory of 1332	112	update.exe	schtasks.exe
PID 112 wrote to memory of 1332	112	update.exe	schtasks.exe
PID 112 wrote to memory of 1332	112	update.exe	schtasks.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe
PID 112 wrote to memory of 1168	112	update.exe	update.exe

C:\Users\Admin\AppData\Local\Temp\9d84e2e5d8e18157f7da91393112d8ad.exe
"C:\Users\Admin\AppData\Local\Temp\9d84e2e5d8e18157f7da91393112d8ad.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NGFtet" /XML "C:\Users\Admin\AppData\Local\Temp\tmp22CC.tmp"
2⤵
- Creates scheduled task(s)
PID:536

C:\Users\Admin\AppData\Local\Temp\9d84e2e5d8e18157f7da91393112d8ad.exe
"C:\Users\Admin\AppData\Local\Temp\9d84e2e5d8e18157f7da91393112d8ad.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\windows\update.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Roaming\windows\update.exe
C:\Users\Admin\AppData\Roaming\windows\update.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NGFtet" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3218.tmp"
6⤵
- Creates scheduled task(s)
PID:1332

C:\Users\Admin\AppData\Roaming\windows\update.exe
"C:\Users\Admin\AppData\Roaming\windows\update.exe"
6⤵
- Executes dropped EXE
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
8316548aa6ceaadc4f077d47d9391c61

SHA1
16c2a0ce8400c559db5873566056fb2f39a76a94

SHA256
b020536ab98017ec5f284bdf59d2c39e1731af44960dc89eb72223556a41885a

SHA512
75ec0760b8af5cd0b75e2d7147abc32b329a82d395712173def311d14d7d3f8caef8eba50e807357c54b93c86f4c24c999950f0bbce13b1bcb71854ecf2a09ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp22CC.tmp
MD5
f4a99a881c0bbe2e84ed7aeb4b821a46

SHA1
86cc06baadb65d5094cea4caac107e9f4679ae8f

SHA256
44b4eeb608cd4eb7fdf98f64f2e03fe0f20d6f56b1a84aadfc2e0686f316a5c4

SHA512
ff5b0db7f63edba2d95bf159437a7eaf308bab75efc0bb9b22dbfda321927c65234a2cea48ccc2b8b657c8d9fdce41a033a05e8608315ffe883996ba773a5f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3218.tmp
MD5
f4a99a881c0bbe2e84ed7aeb4b821a46

SHA1
86cc06baadb65d5094cea4caac107e9f4679ae8f

SHA256
44b4eeb608cd4eb7fdf98f64f2e03fe0f20d6f56b1a84aadfc2e0686f316a5c4

SHA512
ff5b0db7f63edba2d95bf159437a7eaf308bab75efc0bb9b22dbfda321927c65234a2cea48ccc2b8b657c8d9fdce41a033a05e8608315ffe883996ba773a5f99

Download Submit
C:\Users\Admin\AppData\Roaming\windows\update.exe
MD5
9d84e2e5d8e18157f7da91393112d8ad

SHA1
77df25a58864a22c423d31644e635e2f075bbe87

SHA256
b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

SHA512
a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Download Submit
C:\Users\Admin\AppData\Roaming\windows\update.exe
MD5
9d84e2e5d8e18157f7da91393112d8ad

SHA1
77df25a58864a22c423d31644e635e2f075bbe87

SHA256
b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

SHA512
a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Download Submit
C:\Users\Admin\AppData\Roaming\windows\update.exe
MD5
9d84e2e5d8e18157f7da91393112d8ad

SHA1
77df25a58864a22c423d31644e635e2f075bbe87

SHA256
b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

SHA512
a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Download Submit
\Users\Admin\AppData\Roaming\windows\update.exe
MD5
9d84e2e5d8e18157f7da91393112d8ad

SHA1
77df25a58864a22c423d31644e635e2f075bbe87

SHA256
b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

SHA512
a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Download Submit
\Users\Admin\AppData\Roaming\windows\update.exe
MD5
9d84e2e5d8e18157f7da91393112d8ad

SHA1
77df25a58864a22c423d31644e635e2f075bbe87

SHA256
b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

SHA512
a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Download Submit
memory/112-26-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/112-24-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/112-23-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/112-21-0x0000000000000000-mapping.dmp

Download
memory/436-17-0x0000000000000000-mapping.dmp

Download
memory/536-8-0x0000000000000000-mapping.dmp

Download
memory/876-18-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/876-13-0x0000000000000000-mapping.dmp

Download
memory/1076-5-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/1076-7-0x00000000050D0000-0x000000000512D000-memory.dmp

Filesize
372KB

Download
memory/1076-6-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1076-2-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Filesize
6.9MB

Download
memory/1076-3-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1168-33-0x0000000000413FA4-mapping.dmp

Download
memory/1168-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1332-29-0x0000000000000000-mapping.dmp

Download
memory/1348-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1348-12-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1348-11-0x0000000000413FA4-mapping.dmp

Download
memory/1348-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads