remcos | 4b8d5c7a726e4489e3e527b36d433a23a225bbb32a45dca7b2e3f7786e8beb08

General

Target

RFQ_AP65425652_032421 urgentes,pdf.exe
Size

679KB
MD5

2e0e0203e066ec72a796d93709933a76
SHA1

691e8d0ea4b0cf3c65b432bc6c7c8240febeaff3
SHA256

4b8d5c7a726e4489e3e527b36d433a23a225bbb32a45dca7b2e3f7786e8beb08
SHA512

cfef9a11db2cec1ed34f5b604859d6af03325d2ebb36d4fa2fcd9b1f3a636fa3de33babe02aa68283c7018a56c1694b0710b9423c18169fcc6e6b63deb1cd1e1

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Version

2.7.1 Pro

Botnet

RemoteHost

C2

julygoals.hopto.org:7446

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-S2EP9Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ_AP65425652_032421 urgentes,pdf.exe

description pid process target process

PID 1172 set thread context of 1760 1172 RFQ_AP65425652_032421 urgentes,pdf.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

980 schtasks.exe

description	pid	process	target process
PID 1172 set thread context of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe

pid	process
980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

RFQ_AP65425652_032421 urgentes,pdf.exe

pid	process
1172	RFQ_AP65425652_032421 urgentes,pdf.exe
1172	RFQ_AP65425652_032421 urgentes,pdf.exe
1172	RFQ_AP65425652_032421 urgentes,pdf.exe
1172	RFQ_AP65425652_032421 urgentes,pdf.exe
1172	RFQ_AP65425652_032421 urgentes,pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RFQ_AP65425652_032421 urgentes,pdf.exe

description pid process

Token: SeDebugPrivilege 1172 RFQ_AP65425652_032421 urgentes,pdf.exe

description	pid	process
Token: SeDebugPrivilege	1172	RFQ_AP65425652_032421 urgentes,pdf.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

RFQ_AP65425652_032421 urgentes,pdf.exe

description	pid	process	target process
PID 1172 wrote to memory of 980	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	schtasks.exe
PID 1172 wrote to memory of 980	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	schtasks.exe
PID 1172 wrote to memory of 980	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	schtasks.exe
PID 1172 wrote to memory of 980	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	schtasks.exe
PID 1172 wrote to memory of 1324	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1324	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1324	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1324	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1700	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1700	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1700	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1700	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1988	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1988	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1988	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1988	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 880	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 880	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 880	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 880	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe
PID 1172 wrote to memory of 1760	1172	RFQ_AP65425652_032421 urgentes,pdf.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\RFQ_AP65425652_032421 urgentes,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_AP65425652_032421 urgentes,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wHYZAnsJRjxwnD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A0F.tmp"
2⤵
- Creates scheduled task(s)
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9A0F.tmp
Filesize
1KB

MD5
d7836e1e8c24fe8bd363ffe19f798302

SHA1
49d20420033517aa532523db45abd31edf969be3

SHA256
01280ebc30c853ead1876e16f02cf958751074ae2bf392195af3c70483f186a2

SHA512
9c7997f8f935a79567009b44dffb4a27e4e6cab9b704a3f603c0cf563410bd7cd7b78de2cc2e572df8e33a9c04b934241fa7041085b4839413fe637db2306f37

Download Submit
memory/980-59-0x0000000000000000-mapping.dmp

Download
memory/1172-54-0x0000000000320000-0x00000000003D0000-memory.dmp

Filesize
704KB

Download
memory/1172-55-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1172-56-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1172-57-0x0000000004DF0000-0x0000000004E66000-memory.dmp

Filesize
472KB

Download
memory/1172-58-0x0000000002040000-0x0000000002066000-memory.dmp

Filesize
152KB

Download
memory/1760-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1760-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1760-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1760-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1760-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1760-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1760-70-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1760-71-0x0000000000413FA4-mapping.dmp

Download
memory/1760-74-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1760-75-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1760-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads