remcos | a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989

General

Target

a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe
Size

182KB
MD5

673843fcf41d43e013021716cbd9e32b
SHA1

8f1c7ef48d59ed27e90d6f4aeca803c10363f75d
SHA256

a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989
SHA512

c916adde38053c09f3a10fff5f5a245e774db16624f887021e1c425af3c06651e984d418821ed83ba1e9abf1775d32798d8d9f14ac1e9fcc35747848e25941b1

Score

10^/10

remcos buddy rat rezer0

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

Buddy

C2

eastsidepapi.myq-see.com:6996

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Buddy.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Buddy-QTXQ69
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Buddy
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1960-57-0x00000000009D0000-0x00000000009FC000-memory.dmp	rezer0

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe

description pid process target process

PID 1960 set thread context of 908 1960 a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1608 schtasks.exe

description	pid	process	target process
PID 1960 set thread context of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe

pid	process
1608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe

pid	process
1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe
1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe
1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe

description pid process

Token: SeDebugPrivilege 1960 a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

908 vbc.exe

description	pid	process
Token: SeDebugPrivilege	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe

pid	process
908	vbc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe

description	pid	process	target process
PID 1960 wrote to memory of 1608	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	schtasks.exe
PID 1960 wrote to memory of 1608	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	schtasks.exe
PID 1960 wrote to memory of 1608	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	schtasks.exe
PID 1960 wrote to memory of 1608	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	schtasks.exe
PID 1960 wrote to memory of 944	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 944	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 944	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 944	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 1368	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 1368	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 1368	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 1368	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe
PID 1960 wrote to memory of 908	1960	a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe
"C:\Users\Admin\AppData\Local\Temp\a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lOsAeIeZnxoiY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3850.tmp"
2⤵
- Creates scheduled task(s)
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3850.tmp
Filesize
1KB

MD5
d82236b48c473fc9c0d0ec05ed88e4bf

SHA1
4ece089d4590ae16f30d5bc57c201e369d99b35d

SHA256
22714d25aad550d46f98219857714d358f25335863d31d1e0f7bf0c5cc18e35c

SHA512
78d4c018877d89c9f9757054ba2e385ab769b568e95a9861bee5fd11e145b4f40aa296b139368669cad89a1692c996120bd52d390211963e5a88eeed738b4085

Download Submit
memory/908-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/908-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/908-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/908-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/908-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/908-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/908-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/908-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/908-70-0x0000000000413A84-mapping.dmp

Download
memory/908-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1608-58-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x0000000001380000-0x00000000013B4000-memory.dmp

Filesize
208KB

Download
memory/1960-56-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/1960-55-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1960-57-0x00000000009D0000-0x00000000009FC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads