remcos | 075b0ee19107d1de51063e1ed8362107ce4b7c861bdef79a68f54f625e1b32bf

General

Target

242E8F8CF9B0C7E60D952073A3F6C3D2.exe
Size

216KB
MD5

242e8f8cf9b0c7e60d952073a3f6c3d2
SHA1

d3ebbdb9170c4d9e989b0425b009653605f6bddf
SHA256

075b0ee19107d1de51063e1ed8362107ce4b7c861bdef79a68f54f625e1b32bf
SHA512

3fca7faa7fd7436c4f7569fcacca9506a147e514b60449d4b50f518e0e31459fced03f135af4ef19de554b953f153c8bb4cc48a3c6b098a87e36903ce8d1e2d4

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

185.158.115.38:5007

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Drops startup file 1 IoCs

Processes:

MSBuild.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HvsiManagementApi.lnk MSBuild.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSBuild.exe

description pid process target process

PID 332 set thread context of 1324 332 MSBuild.exe RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

242E8F8CF9B0C7E60D952073A3F6C3D2.exeRegAsm.exe

pid process

1056 242E8F8CF9B0C7E60D952073A3F6C3D2.exe
1324 RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HvsiManagementApi.lnk	MSBuild.exe

description	pid	process	target process
PID 332 set thread context of 1324	332	MSBuild.exe	RegAsm.exe

pid	process
1056	242E8F8CF9B0C7E60D952073A3F6C3D2.exe
1324	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

242E8F8CF9B0C7E60D952073A3F6C3D2.exeMSBuild.execsc.exe

description	pid	process	target process
PID 1056 wrote to memory of 332	1056	242E8F8CF9B0C7E60D952073A3F6C3D2.exe	MSBuild.exe
PID 1056 wrote to memory of 332	1056	242E8F8CF9B0C7E60D952073A3F6C3D2.exe	MSBuild.exe
PID 1056 wrote to memory of 332	1056	242E8F8CF9B0C7E60D952073A3F6C3D2.exe	MSBuild.exe
PID 1056 wrote to memory of 332	1056	242E8F8CF9B0C7E60D952073A3F6C3D2.exe	MSBuild.exe
PID 332 wrote to memory of 1736	332	MSBuild.exe	csc.exe
PID 332 wrote to memory of 1736	332	MSBuild.exe	csc.exe
PID 332 wrote to memory of 1736	332	MSBuild.exe	csc.exe
PID 332 wrote to memory of 1736	332	MSBuild.exe	csc.exe
PID 1736 wrote to memory of 240	1736	csc.exe	cvtres.exe
PID 1736 wrote to memory of 240	1736	csc.exe	cvtres.exe
PID 1736 wrote to memory of 240	1736	csc.exe	cvtres.exe
PID 1736 wrote to memory of 240	1736	csc.exe	cvtres.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe
PID 332 wrote to memory of 1324	332	MSBuild.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\242E8F8CF9B0C7E60D952073A3F6C3D2.exe
"C:\Users\Admin\AppData\Local\Temp\242E8F8CF9B0C7E60D952073A3F6C3D2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "C:\Users\Admin\arffut.proj"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1pkw4ocp\1pkw4ocp.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36D9.tmp" "c:\Users\Admin\AppData\Local\Temp\1pkw4ocp\CSC52949A7C2362496C8C898FEF753C197.TMP"
4⤵
PID:240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1pkw4ocp\1pkw4ocp.dll
MD5
39e6cbb2bb97297c84ad697b82b98ab5

SHA1
5cc15d775dec1cb6a5e439835ca0ae971661cd81

SHA256
f9f7de50ae6d298307a0d10e1951af963e136cc714773f8cf0fdf79abfa9b6b1

SHA512
b3759eb9d589476b2280f81e897df5518617a80cba748062bca3c8a6282148164553af3f9a8e84bcff1658f1d2cb0e07f981ee59feebb3f259a48c0cb35b4cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1pkw4ocp\1pkw4ocp.pdb
MD5
6f9395d4d0923926bbca56168c0a5cb9

SHA1
e3e108a8a61f4d9ba82a341801fe32cfd46a7071

SHA256
7da5732b12ffce54180cfd8599283605c3e33fc61b92ca636398239ce67f8c16

SHA512
d007bc73b3d2354412103896f69c45a87ebe8ba08dcf3ab0e10780933040f017097e288ab1e7311e4380b55af9170121dfa985fb5a04ed683e3ce08c72bb9699

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES36D9.tmp
MD5
083436aa50b92a8926e614d94a98d137

SHA1
cd344dae9922c1167dd0458f2d27789badda1ae9

SHA256
ba6dbb80abab480794010eae819bf31b71707e315f456a31d61a043c58df093a

SHA512
be53dafb73c071ce85b173a64781794d996aa7de1a5a52047be71b4ecdab147f029249ee137ff24ec7281fff7eedddacb591dba75e2e95822b17ba6d7e19964b

Download Submit
C:\Users\Admin\arffut.proj
MD5
6bdabf8bccbaaa35e32e4fd4d2099636

SHA1
14154c31b53bcd00bb3e6c142f73112cbc76c2bf

SHA256
46878b60194e8d7b849ca3031021691a094ce1f01048724fecc32a028e6c3f96

SHA512
9c77ece03471d7d1baf2052354ff97e3c39bede48509f4388fb2ebb3990dfc0b21873661130834677d7b256e2a20d455aa3fc5a767026a717e58887dffd2f0ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1pkw4ocp\1pkw4ocp.0.cs
MD5
27a07ac07b3c629ce6cddee8ec5ca5a9

SHA1
5765a96d37e237325985c3cada8f7361676d6782

SHA256
72a6a4f7bbd08d8932b62b468d1768d1dfc833ae0f1548ce7ebe2e4c656b335b

SHA512
d56272a3a767d9658a7d15cc5b068c6b02f6f99f2fdd6b163219d6f1b0d73b096bd3e7f498d1ce5d62f493cc4a00a1149dcdc5a25b790b48a6653f2d55a06dbd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1pkw4ocp\1pkw4ocp.cmdline
MD5
01e0edba242a96521724a653b1252d3f

SHA1
e2c32ea56fabc99a4c19a49abcf98ce3772ab856

SHA256
0ff253b73b733140e9167c0811c4570389fb764fecc170c97be5c6de028f438b

SHA512
c7ac8a2a06b83ea5ad4ca6e8d5561a1b456955e07cb03eb02b728892968bba5bbca801d211f225248f74379b4e81b4a6d14fcd8c4ace0f4811734ac23590d808

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1pkw4ocp\CSC52949A7C2362496C8C898FEF753C197.TMP
MD5
750bc038bc547725bdca7004b8555edb

SHA1
b0e81d23b58d69c01fe81643e1a3bd8115b7f4ab

SHA256
ffbcc668f9cdef944ae514d3998db46e42c6cdf9e00fd7b91ec72427f3178e07

SHA512
51811976690f4059c9491d4901ace129c0351bbc9be654e5ac976dcd6d342a96d62593b36a0a0ca858418598d5ee7415df5104f8105aa0fec017e19bc895792d

Download Submit
memory/240-76-0x0000000000000000-mapping.dmp

Download
memory/332-67-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/332-64-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/332-71-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/332-72-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/332-85-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/332-69-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/332-68-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/332-81-0x00000000004C0000-0x00000000004E3000-memory.dmp

Filesize
140KB

Download
memory/332-66-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/332-70-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/332-63-0x0000000000000000-mapping.dmp

Download
memory/1056-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1056-61-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1324-82-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1324-83-0x0000000000413FA4-mapping.dmp

Download
memory/1324-86-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1736-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads