remcos | 19c85373616be5338b379799fa36c19e4ff5d5e7f67fa820ea9040ab5427d516

General

Target

000000000090009.exe
Size

171KB
MD5

af441b85566a48db44b5c4a9f945b26f
SHA1

366e2753ba8f9a6092f17fa0e5c087f42ff93033
SHA256

19c85373616be5338b379799fa36c19e4ff5d5e7f67fa820ea9040ab5427d516
SHA512

1196080e8c93f313bc25d226a060938dd956b81ffe073926b2e3a800b1c4cf0c708f88959041771c63db742cfe70d825f2ed1fb65dde7cdd3e81c525eb77b1e5

Score

10^/10

remcos rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 2 IoCs

Processes:

pOwERsHeLl.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe	pOwERsHeLl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe	pOwERsHeLl.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

000000000090009.exe

description pid process target process

PID 3372 set thread context of 2756 3372 000000000090009.exe 000000000090009.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

pOwERsHeLl.exe

pid process

700 pOwERsHeLl.exe
700 pOwERsHeLl.exe
700 pOwERsHeLl.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

000000000090009.exe

pid process

2756 000000000090009.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

pOwERsHeLl.exe

description pid process

Token: SeDebugPrivilege 700 pOwERsHeLl.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

000000000090009.exe

pid process

2756 000000000090009.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

000000000090009.exe

pid process

2756 000000000090009.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

000000000090009.exe

pid process

2756 000000000090009.exe

description	pid	process	target process
PID 3372 set thread context of 2756	3372	000000000090009.exe	000000000090009.exe

pid	process
700	pOwERsHeLl.exe
700	pOwERsHeLl.exe
700	pOwERsHeLl.exe

pid	process
2756	000000000090009.exe

description	pid	process
Token: SeDebugPrivilege	700	pOwERsHeLl.exe

pid	process
2756	000000000090009.exe

pid	process
2756	000000000090009.exe

pid	process
2756	000000000090009.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

000000000090009.exe

description	pid	process	target process
PID 3372 wrote to memory of 700	3372	000000000090009.exe	pOwERsHeLl.exe
PID 3372 wrote to memory of 700	3372	000000000090009.exe	pOwERsHeLl.exe
PID 3372 wrote to memory of 700	3372	000000000090009.exe	pOwERsHeLl.exe
PID 3372 wrote to memory of 2756	3372	000000000090009.exe	000000000090009.exe
PID 3372 wrote to memory of 2756	3372	000000000090009.exe	000000000090009.exe
PID 3372 wrote to memory of 2756	3372	000000000090009.exe	000000000090009.exe
PID 3372 wrote to memory of 2756	3372	000000000090009.exe	000000000090009.exe
PID 3372 wrote to memory of 2756	3372	000000000090009.exe	000000000090009.exe
PID 3372 wrote to memory of 2756	3372	000000000090009.exe	000000000090009.exe
PID 3372 wrote to memory of 2756	3372	000000000090009.exe	000000000090009.exe
PID 3372 wrote to memory of 2756	3372	000000000090009.exe	000000000090009.exe

C:\Users\Admin\AppData\Local\Temp\000000000090009.exe
"C:\Users\Admin\AppData\Local\Temp\000000000090009.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOwERsHeLl.exe
"pOwERsHeLl.exe" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\000000000090009.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Users\Admin\AppData\Local\Temp\000000000090009.exe
"C:\Users\Admin\AppData\Local\Temp\000000000090009.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/700-11-0x0000000006D40000-0x0000000006D41000-memory.dmp

Filesize
4KB

Download
memory/700-7-0x0000000000000000-mapping.dmp

Download
memory/700-20-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/700-26-0x00000000088D0000-0x00000000088D1000-memory.dmp

Filesize
4KB

Download
memory/700-24-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/700-8-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/700-25-0x00000000089B0000-0x00000000089B1000-memory.dmp

Filesize
4KB

Download
memory/700-23-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/700-27-0x0000000008940000-0x0000000008941000-memory.dmp

Filesize
4KB

Download
memory/700-29-0x0000000004373000-0x0000000004374000-memory.dmp

Filesize
4KB

Download
memory/700-10-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/700-22-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/700-15-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/700-16-0x0000000004372000-0x0000000004373000-memory.dmp

Filesize
4KB

Download
memory/700-17-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/700-18-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

Filesize
4KB

Download
memory/700-19-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/2756-21-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2756-14-0x00000000004172EC-mapping.dmp

Download
memory/2756-13-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3372-2-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/3372-12-0x0000000001250000-0x000000000125F000-memory.dmp

Filesize
60KB

Download
memory/3372-9-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/3372-6-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/3372-5-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3372-3-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads