remcos | fe62a7a3e86391e95bbfe46c669fa2ce372d911053342787c9f22f7287c94521

Analysis

Target

Order 1.19.22.exe
Size

814KB
MD5

71ac65d6674034d67719875d94473dbd
SHA1

da0ed336c9ecb3374238ddb4d1f5fb798cf6cada
SHA256

fe62a7a3e86391e95bbfe46c669fa2ce372d911053342787c9f22f7287c94521
SHA512

0cf9b21fefbdedb5b698c615786e42e488e6f3e98bd0db20a03fb9834de301a1ecba13dfef49f2441c7402ef0e22621ed8092ab60b0b9d21bf4d09cb4413e0d4

Score

10^/10

Family

remcos

Version

3.2.1 Pro

Botnet

RemoteHost

janeilla.myddns.me:9711

Attributes

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

Order 1.19.22.exe

description pid process target process

PID 1740 set thread context of 3928 1740 Order 1.19.22.exe Order 1.19.22.exe

description	pid	process	target process
PID 1740 set thread context of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Order 1.19.22.exe

description	pid	process	target process
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe
PID 1740 wrote to memory of 3928	1740	Order 1.19.22.exe	Order 1.19.22.exe

C:\Users\Admin\AppData\Local\Temp\Order 1.19.22.exe
"C:\Users\Admin\AppData\Local\Temp\Order 1.19.22.exe"
2⤵
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:3384

memory/1740-130-0x0000000000760000-0x0000000000834000-memory.dmp

Filesize
848KB

Download
memory/1740-131-0x0000000005750000-0x0000000005CF4000-memory.dmp

Filesize
5.6MB

Download
memory/1740-132-0x0000000005240000-0x00000000052D2000-memory.dmp

Filesize
584KB

Download
memory/1740-133-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/1740-134-0x00000000051A0000-0x0000000005744000-memory.dmp

Filesize
5.6MB

Download
memory/1740-135-0x0000000007710000-0x00000000077AC000-memory.dmp

Filesize
624KB

Download
memory/3928-136-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3928-137-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download