remcos | 7adaa2ece539a6b3a01060e92ad910a7e8983e6325d72dadb257d7085f28ce81

General

Target

ORDEZTECH202067.exe
Size

729KB
MD5

5e03e07d2701ae88f1d072d7c1102762
SHA1

8c50f5333bfe34d846de0df1782386c0ffcf0667
SHA256

4ad47d37f0033d71887d69f3dfdb0961c10e98d7db1928beab71d6540db95c03
SHA512

754d1df02ff15072f182956491b97eb45e11c835555d67279176fafe15026ee3a1fc9dfae33e4fa12860d84ca6f88032d9e54a9e1d70f5be160895005db627b7

Score

10^/10

remcos amazone rat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

Amazone

C2

79.134.225.43:5908

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
-JSKOGA
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid process

924 AddInProcess32.exe
Loads dropped DLL 1 IoCs

Processes:

ORDEZTECH202067.exe

pid process

2036 ORDEZTECH202067.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ORDEZTECH202067.exe

description pid process target process

PID 2036 set thread context of 924 2036 ORDEZTECH202067.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ORDEZTECH202067.exe

pid process

2036 ORDEZTECH202067.exe
2036 ORDEZTECH202067.exe
2036 ORDEZTECH202067.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ORDEZTECH202067.exe

description pid process

Token: SeDebugPrivilege 2036 ORDEZTECH202067.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

924 AddInProcess32.exe

pid	process
924	AddInProcess32.exe

pid	process
2036	ORDEZTECH202067.exe

description	pid	process	target process
PID 2036 set thread context of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe

pid	process
2036	ORDEZTECH202067.exe
2036	ORDEZTECH202067.exe
2036	ORDEZTECH202067.exe

description	pid	process
Token: SeDebugPrivilege	2036	ORDEZTECH202067.exe

pid	process
924	AddInProcess32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ORDEZTECH202067.exe

description	pid	process	target process
PID 2036 wrote to memory of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe
PID 2036 wrote to memory of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe
PID 2036 wrote to memory of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe
PID 2036 wrote to memory of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe
PID 2036 wrote to memory of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe
PID 2036 wrote to memory of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe
PID 2036 wrote to memory of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe
PID 2036 wrote to memory of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe
PID 2036 wrote to memory of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe
PID 2036 wrote to memory of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe
PID 2036 wrote to memory of 924	2036	ORDEZTECH202067.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\ORDEZTECH202067.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEZTECH202067.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
memory/924-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/924-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/924-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/924-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/924-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/924-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/924-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/924-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/924-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/924-71-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download
memory/924-68-0x0000000000413B74-mapping.dmp

Download
memory/2036-55-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/2036-56-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2036-54-0x0000000001370000-0x000000000142C000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads