remcos | ecc8200db1559efbe4adbc6fd105b7864fada00f4f44f70906668ec3fe211d94

General

Target

38dce98044e8afcadf97c744b6127609.exe
Size

300.0MB
MD5

38dce98044e8afcadf97c744b6127609
SHA1

ad0abc09ebac76f306973a57bd7599987d981c9a
SHA256

ecc8200db1559efbe4adbc6fd105b7864fada00f4f44f70906668ec3fe211d94
SHA512

1e19088624a7335bcfcda4f2968510a9440fdc72f850e5be87b8d825029fb52a01cd2a060c07c4fd552557c80306a970bf780155f95bbdf2a5dd9bba19951888
SSDEEP

12288:+p0n7snoXb6hFgo2XHlpHj06cQ0G1Rgu0kG9D59+gv2+T7Jw1954xh:++n7soe7gbHrHj040G1b059N

Score

10^/10

remcos lunes rat

Malware Config

Extracted

Family

remcos

Botnet

LUNES

C2

sdkvifernuebvhcdbv.con-ip.com:1883

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ACPSDP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

solve.exesolve.exe

pid process

432 solve.exe
1688 solve.exe

pid	process
432	solve.exe
1688	solve.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

38dce98044e8afcadf97c744b6127609.exesolve.exesolve.exe

description	pid	process	target process
PID 944 set thread context of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 432 set thread context of 1628	432	solve.exe	csc.exe
PID 1688 set thread context of 992	1688	solve.exe	csc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1528 schtasks.exe
560 schtasks.exe
840 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csc.exe

pid process

644 csc.exe

pid	process
1528	schtasks.exe
560	schtasks.exe
840	schtasks.exe

pid	process
644	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

38dce98044e8afcadf97c744b6127609.execmd.exetaskeng.exesolve.execmd.exe

description	pid	process	target process
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 644	944	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 944 wrote to memory of 1356	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 944 wrote to memory of 1356	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 944 wrote to memory of 1356	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 944 wrote to memory of 1356	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 944 wrote to memory of 336	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 944 wrote to memory of 336	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 944 wrote to memory of 336	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 944 wrote to memory of 336	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 944 wrote to memory of 2044	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 944 wrote to memory of 2044	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 944 wrote to memory of 2044	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 944 wrote to memory of 2044	944	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 336 wrote to memory of 1528	336	cmd.exe	schtasks.exe
PID 336 wrote to memory of 1528	336	cmd.exe	schtasks.exe
PID 336 wrote to memory of 1528	336	cmd.exe	schtasks.exe
PID 336 wrote to memory of 1528	336	cmd.exe	schtasks.exe
PID 1056 wrote to memory of 432	1056	taskeng.exe	solve.exe
PID 1056 wrote to memory of 432	1056	taskeng.exe	solve.exe
PID 1056 wrote to memory of 432	1056	taskeng.exe	solve.exe
PID 1056 wrote to memory of 432	1056	taskeng.exe	solve.exe
PID 1056 wrote to memory of 432	1056	taskeng.exe	solve.exe
PID 1056 wrote to memory of 432	1056	taskeng.exe	solve.exe
PID 1056 wrote to memory of 432	1056	taskeng.exe	solve.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 1628	432	solve.exe	csc.exe
PID 432 wrote to memory of 892	432	solve.exe	cmd.exe
PID 432 wrote to memory of 892	432	solve.exe	cmd.exe
PID 432 wrote to memory of 892	432	solve.exe	cmd.exe
PID 432 wrote to memory of 892	432	solve.exe	cmd.exe
PID 432 wrote to memory of 1960	432	solve.exe	cmd.exe
PID 432 wrote to memory of 1960	432	solve.exe	cmd.exe
PID 432 wrote to memory of 1960	432	solve.exe	cmd.exe
PID 432 wrote to memory of 1960	432	solve.exe	cmd.exe
PID 1960 wrote to memory of 560	1960	cmd.exe	schtasks.exe
PID 1960 wrote to memory of 560	1960	cmd.exe	schtasks.exe
PID 1960 wrote to memory of 560	1960	cmd.exe	schtasks.exe
PID 1960 wrote to memory of 560	1960	cmd.exe	schtasks.exe
PID 432 wrote to memory of 456	432	solve.exe	cmd.exe
PID 432 wrote to memory of 456	432	solve.exe	cmd.exe
PID 432 wrote to memory of 456	432	solve.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\38dce98044e8afcadf97c744b6127609.exe
"C:\Users\Admin\AppData\Local\Temp\38dce98044e8afcadf97c744b6127609.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:644

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\solve"
2⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1528

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\38dce98044e8afcadf97c744b6127609.exe" "C:\Users\Admin\AppData\Roaming\solve\solve.exe"
2⤵
PID:2044

C:\Windows\system32\taskeng.exe
taskeng.exe {9406DAC1-8804-4CE2-8E5D-AF028E38BF7B} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Roaming\solve\solve.exe
C:\Users\Admin\AppData\Roaming\solve\solve.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\solve"
3⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
4⤵
- Creates scheduled task(s)
PID:560

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\solve\solve.exe" "C:\Users\Admin\AppData\Roaming\solve\solve.exe"
3⤵
PID:456

C:\Users\Admin\AppData\Roaming\solve\solve.exe
C:\Users\Admin\AppData\Roaming\solve\solve.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\solve"
3⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
3⤵
PID:1716

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
4⤵
- Creates scheduled task(s)
PID:840

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\solve\solve.exe" "C:\Users\Admin\AppData\Roaming\solve\solve.exe"
3⤵
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\solve\solve.exe
Filesize
300.0MB

MD5
38dce98044e8afcadf97c744b6127609

SHA1
ad0abc09ebac76f306973a57bd7599987d981c9a

SHA256
ecc8200db1559efbe4adbc6fd105b7864fada00f4f44f70906668ec3fe211d94

SHA512
1e19088624a7335bcfcda4f2968510a9440fdc72f850e5be87b8d825029fb52a01cd2a060c07c4fd552557c80306a970bf780155f95bbdf2a5dd9bba19951888

Download Submit
C:\Users\Admin\AppData\Roaming\solve\solve.exe
Filesize
300.0MB

MD5
38dce98044e8afcadf97c744b6127609

SHA1
ad0abc09ebac76f306973a57bd7599987d981c9a

SHA256
ecc8200db1559efbe4adbc6fd105b7864fada00f4f44f70906668ec3fe211d94

SHA512
1e19088624a7335bcfcda4f2968510a9440fdc72f850e5be87b8d825029fb52a01cd2a060c07c4fd552557c80306a970bf780155f95bbdf2a5dd9bba19951888

Download Submit
C:\Users\Admin\AppData\Roaming\solve\solve.exe
Filesize
300.0MB

MD5
38dce98044e8afcadf97c744b6127609

SHA1
ad0abc09ebac76f306973a57bd7599987d981c9a

SHA256
ecc8200db1559efbe4adbc6fd105b7864fada00f4f44f70906668ec3fe211d94

SHA512
1e19088624a7335bcfcda4f2968510a9440fdc72f850e5be87b8d825029fb52a01cd2a060c07c4fd552557c80306a970bf780155f95bbdf2a5dd9bba19951888

Download Submit
memory/336-83-0x0000000000000000-mapping.dmp

Download
memory/432-89-0x0000000001290000-0x000000000134E000-memory.dmp

Filesize
760KB

Download
memory/432-87-0x0000000000000000-mapping.dmp

Download
memory/456-120-0x0000000000000000-mapping.dmp

Download
memory/560-119-0x0000000000000000-mapping.dmp

Download
memory/644-56-0x00000000000D0000-0x000000000014F000-memory.dmp

Filesize
508KB

Download
memory/644-61-0x00000000000D0000-0x000000000014F000-memory.dmp

Filesize
508KB

Download
memory/644-75-0x00000000000D0000-0x000000000014F000-memory.dmp

Filesize
508KB

Download
memory/644-69-0x0000000000432C26-mapping.dmp

Download
memory/644-70-0x00000000000D0000-0x000000000014F000-memory.dmp

Filesize
508KB

Download
memory/644-81-0x00000000000D0000-0x000000000014F000-memory.dmp

Filesize
508KB

Download
memory/644-63-0x00000000000D0000-0x000000000014F000-memory.dmp

Filesize
508KB

Download
memory/644-62-0x00000000000D0000-0x000000000014F000-memory.dmp

Filesize
508KB

Download
memory/644-57-0x00000000000D0000-0x000000000014F000-memory.dmp

Filesize
508KB

Download
memory/644-66-0x00000000000D0000-0x000000000014F000-memory.dmp

Filesize
508KB

Download
memory/644-59-0x00000000000D0000-0x000000000014F000-memory.dmp

Filesize
508KB

Download
memory/644-64-0x00000000000D0000-0x000000000014F000-memory.dmp

Filesize
508KB

Download
memory/740-151-0x0000000000000000-mapping.dmp

Download
memory/840-152-0x0000000000000000-mapping.dmp

Download
memory/884-149-0x0000000000000000-mapping.dmp

Download
memory/892-106-0x0000000000000000-mapping.dmp

Download
memory/944-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/944-54-0x00000000010B0000-0x000000000116E000-memory.dmp

Filesize
760KB

Download
memory/992-138-0x0000000000432C26-mapping.dmp

Download
memory/1356-82-0x0000000000000000-mapping.dmp

Download
memory/1528-85-0x0000000000000000-mapping.dmp

Download
memory/1628-117-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1628-111-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1628-104-0x0000000000432C26-mapping.dmp

Download
memory/1688-121-0x0000000000000000-mapping.dmp

Download
memory/1688-123-0x0000000001290000-0x000000000134E000-memory.dmp

Filesize
760KB

Download
memory/1716-150-0x0000000000000000-mapping.dmp

Download
memory/1960-118-0x0000000000000000-mapping.dmp

Download
memory/2044-84-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads