remcos | 12a0e61c40e9664cd768c55b50d204e038067e9dfa34c04d0170426565eb2d2c

General

Target

04_extracted.exe
Size

456KB
MD5

58dc1cfd317058134777f77f86f62592
SHA1

22f19ee32e81d180be5c4e824d359456df811293
SHA256

12a0e61c40e9664cd768c55b50d204e038067e9dfa34c04d0170426565eb2d2c
SHA512

0d6984b84336c189eb590ae870b5a50ca81f3d90a7fe97ffdbfab9569b841711475054d6c1ea6e592ad9ae45e14ff70efcfd7c10effb865843a5e79b9a4be0c2

Score

10^/10

remcos rat spyware stealer

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/188-115-0x0000000000476274-mapping.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/188-115-0x0000000000476274-mapping.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

04_extracted.exe

description	pid	process	target process
PID 4016 set thread context of 188	4016	04_extracted.exe	04_extracted.exe
PID 4016 set thread context of 3272	4016	04_extracted.exe	04_extracted.exe
PID 4016 set thread context of 1080	4016	04_extracted.exe	04_extracted.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

04_extracted.exe04_extracted.exe

pid process

3272 04_extracted.exe
3272 04_extracted.exe
188 04_extracted.exe
188 04_extracted.exe
188 04_extracted.exe
188 04_extracted.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

04_extracted.exe

description pid process

Token: SeDebugPrivilege 3272 04_extracted.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

04_extracted.exe

pid process

4016 04_extracted.exe

pid	process
3272	04_extracted.exe
3272	04_extracted.exe
188	04_extracted.exe
188	04_extracted.exe
188	04_extracted.exe
188	04_extracted.exe

description	pid	process
Token: SeDebugPrivilege	3272	04_extracted.exe

pid	process
4016	04_extracted.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

04_extracted.exe

description	pid	process	target process
PID 4016 wrote to memory of 188	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 188	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 188	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 188	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 188	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 188	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 188	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 3272	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 3272	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 3272	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 3272	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 3272	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 3272	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 3272	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 1080	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 1080	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 1080	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 1080	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 1080	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 1080	4016	04_extracted.exe	04_extracted.exe
PID 4016 wrote to memory of 1080	4016	04_extracted.exe	04_extracted.exe

C:\Users\Admin\AppData\Local\Temp\04_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\04_extracted.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\04_extracted.exe
C:\Users\Admin\AppData\Local\Temp\04_extracted.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppbdq"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:188

C:\Users\Admin\AppData\Local\Temp\04_extracted.exe
C:\Users\Admin\AppData\Local\Temp\04_extracted.exe /stext "C:\Users\Admin\AppData\Local\Temp\aronqxkq"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Users\Admin\AppData\Local\Temp\04_extracted.exe
C:\Users\Admin\AppData\Local\Temp\04_extracted.exe /stext "C:\Users\Admin\AppData\Local\Temp\kmtgrqujpcn"
2⤵
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ppbdq
MD5
93d9547e2f6b166ddc13b0f852378d78

SHA1
9c252ab52886c3e59e832b316bade26fe3473c74

SHA256
0e2229e3ecc706a74a1048c7e395644542a880183d9f6809260410d618dbed1d

SHA512
81711df6173b9020a004eabd398e4c1f0c092c42ab6888db122dfe2e582c04826025972f06867d207de7f4cb4d15d57afa219aebcbb9c966961696dca93d3298

Download Submit
memory/188-114-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/188-115-0x0000000000476274-mapping.dmp

Download
memory/188-122-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1080-118-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1080-119-0x0000000000455238-mapping.dmp

Download
memory/1080-121-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3272-116-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3272-117-0x0000000000422206-mapping.dmp

Download
memory/3272-120-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads