remcos | 3c0df5607ab1e7bf906ce2be36ee0bb970c26baf19710f0c195ca9356a2d918f

General

Target

ORDER SHEET & SAMPLES_pdf.exe
Size

1.0MB
MD5

aee4b8f4f0796c4945908b4ef5aa3457
SHA1

9154bf79d84c17e64290cbaa83835965da7fbed6
SHA256

3c0df5607ab1e7bf906ce2be36ee0bb970c26baf19710f0c195ca9356a2d918f
SHA512

3dae1280754ffb56fae642350b215354304320043555b4ac3698bd094e76e26f123203baff8be8f9f4f1544c0ba30551f5a0729d9c1b0b04e11ad7f0e5d45279

Score

10^/10

remcos agilenet rat

Malware Config

Extracted

Family

remcos

C2

remcoswealth.ddns.net:59239

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid process

3404 AddInProcess32.exe

pid	process
3404	AddInProcess32.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3724-121-0x0000000006420000-0x0000000006441000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

ORDER SHEET & SAMPLES_pdf.exe

description pid process target process

PID 3724 set thread context of 3404 3724 ORDER SHEET & SAMPLES_pdf.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ORDER SHEET & SAMPLES_pdf.exe

pid process

3724 ORDER SHEET & SAMPLES_pdf.exe
3724 ORDER SHEET & SAMPLES_pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ORDER SHEET & SAMPLES_pdf.exe

description pid process

Token: SeDebugPrivilege 3724 ORDER SHEET & SAMPLES_pdf.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

3404 AddInProcess32.exe

description	pid	process	target process
PID 3724 set thread context of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe

pid	process
3724	ORDER SHEET & SAMPLES_pdf.exe
3724	ORDER SHEET & SAMPLES_pdf.exe

description	pid	process
Token: SeDebugPrivilege	3724	ORDER SHEET & SAMPLES_pdf.exe

pid	process
3404	AddInProcess32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ORDER SHEET & SAMPLES_pdf.exe

description	pid	process	target process
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3404	3724	ORDER SHEET & SAMPLES_pdf.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\ORDER SHEET & SAMPLES_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER SHEET & SAMPLES_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
memory/3404-127-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3404-130-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3404-128-0x000000000042EEEF-mapping.dmp

Download
memory/3724-122-0x00000000064D0000-0x00000000064D1000-memory.dmp

Filesize
4KB

Download
memory/3724-121-0x0000000006420000-0x0000000006441000-memory.dmp

Filesize
132KB

Download
memory/3724-114-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3724-123-0x00000000063D0000-0x00000000063D1000-memory.dmp

Filesize
4KB

Download
memory/3724-124-0x0000000002A91000-0x0000000002A92000-memory.dmp

Filesize
4KB

Download
memory/3724-125-0x0000000006D40000-0x0000000006D4B000-memory.dmp

Filesize
44KB

Download
memory/3724-126-0x0000000009320000-0x0000000009321000-memory.dmp

Filesize
4KB

Download
memory/3724-120-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3724-118-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3724-117-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3724-116-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing