remcos | 0c2f78458061b2e848305409a90351eff2c4c31eed1a4667b6366bfdc43ef52a

General

Target

SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe
Size

897KB
MD5

9f910ba7ff05efd30eb1c2316bb488e0
SHA1

3b428f5cf8b0c43b8b63bbaf728669a83f66458e
SHA256

0c2f78458061b2e848305409a90351eff2c4c31eed1a4667b6366bfdc43ef52a
SHA512

5f6300857bce04ef5e883bb219d3f2257acdada1c29cec9dff0d438a8190f784b0c7bde44dbe80adb7f28fefe03c9ec57d0300066bed46b838a91d92a3f7c189

Score

10^/10

remcos agilenet rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2096 svchost.exe

pid	process
2096	svchost.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3172-122-0x00000000069C0000-0x00000000069E1000-memory.dmp	agile_net
behavioral2/memory/3172-125-0x00000000052D0000-0x00000000057CE000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe

description pid process target process

PID 3172 set thread context of 2096 3172 SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe

pid process

3172 SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe
3172 SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe

description pid process

Token: SeDebugPrivilege 3172 SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe

description	pid	process	target process
PID 3172 set thread context of 2096	3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe	svchost.exe

pid	process
3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe
3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe

description	pid	process
Token: SeDebugPrivilege	3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe

description	pid	process	target process
PID 3172 wrote to memory of 2096	3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe	svchost.exe
PID 3172 wrote to memory of 2096	3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe	svchost.exe
PID 3172 wrote to memory of 2096	3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe	svchost.exe
PID 3172 wrote to memory of 2096	3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe	svchost.exe
PID 3172 wrote to memory of 2096	3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe	svchost.exe
PID 3172 wrote to memory of 2096	3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe	svchost.exe
PID 3172 wrote to memory of 2096	3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe	svchost.exe
PID 3172 wrote to memory of 2096	3172	SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Kryptik.4625f314.19991.25291.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:2096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6bdb3091562e7dd2c877472286b6cc46

SHA1
122ecbb7a23dc98c61f319cfb060f3cbd407db89

SHA256
87e4144b3f50e9a0635ea6a887a20ef0d7b1321a79793f9fa965b8defbdef698

SHA512
219d646d5d514c705f801cacc736ca1027613d6612c1d30a8d4156143f5344b125a297080926912e7abf94a09b80cae157ac44773e84dd95946a9feb44b10e94

Download Submit
memory/2096-128-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2096-133-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2096-129-0x000000000047823F-mapping.dmp

Download
memory/3172-119-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/3172-121-0x00000000052D0000-0x00000000057CE000-memory.dmp

Filesize
5.0MB

Download
memory/3172-122-0x00000000069C0000-0x00000000069E1000-memory.dmp

Filesize
132KB

Download
memory/3172-123-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/3172-124-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/3172-125-0x00000000052D0000-0x00000000057CE000-memory.dmp

Filesize
5.0MB

Download
memory/3172-126-0x0000000006DA0000-0x0000000006DAB000-memory.dmp

Filesize
44KB

Download
memory/3172-127-0x0000000009730000-0x0000000009731000-memory.dmp

Filesize
4KB

Download
memory/3172-114-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/3172-118-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3172-117-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/3172-116-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing