remcos | 075b0ee19107d1de51063e1ed8362107ce4b7c861bdef79a68f54f625e1b32bf

General

Target

242E8F8CF9B0C7E60D952073A3F6C3D2.exe
Size

216KB
MD5

242e8f8cf9b0c7e60d952073a3f6c3d2
SHA1

d3ebbdb9170c4d9e989b0425b009653605f6bddf
SHA256

075b0ee19107d1de51063e1ed8362107ce4b7c861bdef79a68f54f625e1b32bf
SHA512

3fca7faa7fd7436c4f7569fcacca9506a147e514b60449d4b50f518e0e31459fced03f135af4ef19de554b953f153c8bb4cc48a3c6b098a87e36903ce8d1e2d4

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

185.158.115.38:5007

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Drops startup file 1 IoCs

Processes:

MSBuild.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HvsiManagementApi.lnk MSBuild.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSBuild.exe

description pid process target process

PID 2520 set thread context of 844 2520 MSBuild.exe RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

242E8F8CF9B0C7E60D952073A3F6C3D2.exeRegAsm.exe

pid process

1852 242E8F8CF9B0C7E60D952073A3F6C3D2.exe
844 RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HvsiManagementApi.lnk	MSBuild.exe

description	pid	process	target process
PID 2520 set thread context of 844	2520	MSBuild.exe	RegAsm.exe

pid	process
1852	242E8F8CF9B0C7E60D952073A3F6C3D2.exe
844	RegAsm.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

242E8F8CF9B0C7E60D952073A3F6C3D2.exeMSBuild.execsc.exe

description	pid	process	target process
PID 1852 wrote to memory of 2520	1852	242E8F8CF9B0C7E60D952073A3F6C3D2.exe	MSBuild.exe
PID 1852 wrote to memory of 2520	1852	242E8F8CF9B0C7E60D952073A3F6C3D2.exe	MSBuild.exe
PID 1852 wrote to memory of 2520	1852	242E8F8CF9B0C7E60D952073A3F6C3D2.exe	MSBuild.exe
PID 2520 wrote to memory of 2164	2520	MSBuild.exe	csc.exe
PID 2520 wrote to memory of 2164	2520	MSBuild.exe	csc.exe
PID 2520 wrote to memory of 2164	2520	MSBuild.exe	csc.exe
PID 2164 wrote to memory of 808	2164	csc.exe	cvtres.exe
PID 2164 wrote to memory of 808	2164	csc.exe	cvtres.exe
PID 2164 wrote to memory of 808	2164	csc.exe	cvtres.exe
PID 2520 wrote to memory of 844	2520	MSBuild.exe	RegAsm.exe
PID 2520 wrote to memory of 844	2520	MSBuild.exe	RegAsm.exe
PID 2520 wrote to memory of 844	2520	MSBuild.exe	RegAsm.exe
PID 2520 wrote to memory of 844	2520	MSBuild.exe	RegAsm.exe
PID 2520 wrote to memory of 844	2520	MSBuild.exe	RegAsm.exe
PID 2520 wrote to memory of 844	2520	MSBuild.exe	RegAsm.exe
PID 2520 wrote to memory of 844	2520	MSBuild.exe	RegAsm.exe
PID 2520 wrote to memory of 844	2520	MSBuild.exe	RegAsm.exe
PID 2520 wrote to memory of 844	2520	MSBuild.exe	RegAsm.exe
PID 2520 wrote to memory of 844	2520	MSBuild.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\242E8F8CF9B0C7E60D952073A3F6C3D2.exe
"C:\Users\Admin\AppData\Local\Temp\242E8F8CF9B0C7E60D952073A3F6C3D2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "C:\Users\Admin\arffut.proj"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eyijze3k\eyijze3k.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES402B.tmp" "c:\Users\Admin\AppData\Local\Temp\eyijze3k\CSC702B9F8BF26445EDA11E909A7CD4018.TMP"
4⤵
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES402B.tmp
MD5
e2f3767ba5412410f32e60167211ce3a

SHA1
54ba4d5b159ee56415876a89e1feff449a23b5d6

SHA256
9359ed187824996db6121c9ee93093846c95db53e478a2d35772a71d7f333bfe

SHA512
125daa5c9f71c07393b9758064f785b5b2ebbf290147c959536a6bb2955da31b93b69083fb2c898015606a79e0897142d1b2582d315050a69c3e971a4322ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyijze3k\eyijze3k.dll
MD5
3840c62c04658e659953a767d42c1d7c

SHA1
bb0e5319b12789116f6c3131d8c82a5e51f7cd6d

SHA256
01c35b9ad5396a383aae8788611fa4f0588b9835cf7e781beadab1b8b1e1511a

SHA512
4e501337f6839e88fe26847b9be1f0051d463f32020a6062c71a211aa4a0199c254208dd1a963beecd138f21822ddf37e8842c4b7ba885a8c435f210bf67fb7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyijze3k\eyijze3k.pdb
MD5
ff62c1491e114e9343c6c7010493b0ad

SHA1
3ed34b77e44738ad20666e544fc93f4e56bc51d1

SHA256
ebd9c1dfd95d6574323dd00b1784fcd355d6e4b6f200f98f9a0bd017d52d35c9

SHA512
4a5c3c9525a9865e888e8ad4aa97efaea4d4ac17102ac3c7b5481295215f7a19e93a0be2cd924b624fd114b785cf4d65d533ec42ad482b314bdbbe9e07e0f059

Download Submit
C:\Users\Admin\arffut.proj
MD5
6bdabf8bccbaaa35e32e4fd4d2099636

SHA1
14154c31b53bcd00bb3e6c142f73112cbc76c2bf

SHA256
46878b60194e8d7b849ca3031021691a094ce1f01048724fecc32a028e6c3f96

SHA512
9c77ece03471d7d1baf2052354ff97e3c39bede48509f4388fb2ebb3990dfc0b21873661130834677d7b256e2a20d455aa3fc5a767026a717e58887dffd2f0ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eyijze3k\CSC702B9F8BF26445EDA11E909A7CD4018.TMP
MD5
408f76230df1a86cfc191820bce21d9f

SHA1
2b01844911f8c46fd6f0537cf5e576ac74520adb

SHA256
bc3ab9b72f48298ebca52c3d42b736aeb271a28d01a85d57d50123caebe1b72f

SHA512
45b6eebef5bca03a58578c1818088a9209c0b49bb6843226d53f7464369ff86868b64ef6cb744e7c257f25cdc5d09d22b6622e0be937ddd9750074a8aa634977

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eyijze3k\eyijze3k.0.cs
MD5
27a07ac07b3c629ce6cddee8ec5ca5a9

SHA1
5765a96d37e237325985c3cada8f7361676d6782

SHA256
72a6a4f7bbd08d8932b62b468d1768d1dfc833ae0f1548ce7ebe2e4c656b335b

SHA512
d56272a3a767d9658a7d15cc5b068c6b02f6f99f2fdd6b163219d6f1b0d73b096bd3e7f498d1ce5d62f493cc4a00a1149dcdc5a25b790b48a6653f2d55a06dbd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eyijze3k\eyijze3k.cmdline
MD5
91ab788a06f12d0adc2ae44e40c32f2b

SHA1
b74effb03982a4bac814309c49ee2af93677559e

SHA256
8f3fe50233911dc3901d64d9dfa546c4b4fcc4ba987373646d35cb70fc6fd0bc

SHA512
152cda8c2eec57d8d79071a566878d1d30a582a9a05e5d93f10845f047c4a50b7f35560f06a0177d07d763b4a33eb4f612ecfd95bfc34cdd4d9bd42efcc60fa7

Download Submit
memory/808-134-0x0000000000000000-mapping.dmp

Download
memory/844-143-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/844-141-0x0000000000413FA4-mapping.dmp

Download
memory/844-140-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1852-116-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2164-131-0x0000000000000000-mapping.dmp

Download
memory/2520-130-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/2520-129-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/2520-126-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/2520-124-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/2520-122-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/2520-121-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2520-120-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/2520-139-0x00000000056C0000-0x00000000056E3000-memory.dmp

Filesize
140KB

Download
memory/2520-119-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/2520-118-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2520-142-0x0000000005610000-0x0000000005732000-memory.dmp

Filesize
1.1MB

Download
memory/2520-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads