remcos | ecc8200db1559efbe4adbc6fd105b7864fada00f4f44f70906668ec3fe211d94

General

Target

38dce98044e8afcadf97c744b6127609.exe
Size

300.0MB
MD5

38dce98044e8afcadf97c744b6127609
SHA1

ad0abc09ebac76f306973a57bd7599987d981c9a
SHA256

ecc8200db1559efbe4adbc6fd105b7864fada00f4f44f70906668ec3fe211d94
SHA512

1e19088624a7335bcfcda4f2968510a9440fdc72f850e5be87b8d825029fb52a01cd2a060c07c4fd552557c80306a970bf780155f95bbdf2a5dd9bba19951888
SSDEEP

12288:+p0n7snoXb6hFgo2XHlpHj06cQ0G1Rgu0kG9D59+gv2+T7Jw1954xh:++n7soe7gbHrHj040G1b059N

Score

10^/10

remcos lunes rat

Malware Config

Extracted

Family

remcos

Botnet

LUNES

C2

sdkvifernuebvhcdbv.con-ip.com:1883

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ACPSDP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

solve.exesolve.exe

pid process

4596 solve.exe
3360 solve.exe

pid	process
4596	solve.exe
3360	solve.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

38dce98044e8afcadf97c744b6127609.exesolve.exesolve.exe

description	pid	process	target process
PID 1568 set thread context of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 4596 set thread context of 2500	4596	solve.exe	csc.exe
PID 3360 set thread context of 2432	3360	solve.exe	csc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1608 2432 WerFault.exe csc.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4724 schtasks.exe
3428 schtasks.exe
2752 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csc.exe

pid process

1808 csc.exe

pid	pid_target	process	target process
1608	2432	WerFault.exe	csc.exe

pid	process
4724	schtasks.exe
3428	schtasks.exe
2752	schtasks.exe

pid	process
1808	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

38dce98044e8afcadf97c744b6127609.execmd.exesolve.execmd.exesolve.exe

description	pid	process	target process
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 1808	1568	38dce98044e8afcadf97c744b6127609.exe	csc.exe
PID 1568 wrote to memory of 4312	1568	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 1568 wrote to memory of 4312	1568	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 1568 wrote to memory of 4312	1568	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 1568 wrote to memory of 3480	1568	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 1568 wrote to memory of 3480	1568	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 1568 wrote to memory of 3480	1568	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 1568 wrote to memory of 4580	1568	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 1568 wrote to memory of 4580	1568	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 1568 wrote to memory of 4580	1568	38dce98044e8afcadf97c744b6127609.exe	cmd.exe
PID 3480 wrote to memory of 4724	3480	cmd.exe	schtasks.exe
PID 3480 wrote to memory of 4724	3480	cmd.exe	schtasks.exe
PID 3480 wrote to memory of 4724	3480	cmd.exe	schtasks.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 2500	4596	solve.exe	csc.exe
PID 4596 wrote to memory of 3388	4596	solve.exe	cmd.exe
PID 4596 wrote to memory of 3388	4596	solve.exe	cmd.exe
PID 4596 wrote to memory of 3388	4596	solve.exe	cmd.exe
PID 4596 wrote to memory of 4696	4596	solve.exe	cmd.exe
PID 4596 wrote to memory of 4696	4596	solve.exe	cmd.exe
PID 4596 wrote to memory of 4696	4596	solve.exe	cmd.exe
PID 4596 wrote to memory of 2864	4596	solve.exe	cmd.exe
PID 4596 wrote to memory of 2864	4596	solve.exe	cmd.exe
PID 4596 wrote to memory of 2864	4596	solve.exe	cmd.exe
PID 4696 wrote to memory of 3428	4696	cmd.exe	schtasks.exe
PID 4696 wrote to memory of 3428	4696	cmd.exe	schtasks.exe
PID 4696 wrote to memory of 3428	4696	cmd.exe	schtasks.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 2432	3360	solve.exe	csc.exe
PID 3360 wrote to memory of 4064	3360	solve.exe	cmd.exe
PID 3360 wrote to memory of 4064	3360	solve.exe	cmd.exe
PID 3360 wrote to memory of 4064	3360	solve.exe	cmd.exe
PID 3360 wrote to memory of 2392	3360	solve.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\38dce98044e8afcadf97c744b6127609.exe
"C:\Users\Admin\AppData\Local\Temp\38dce98044e8afcadf97c744b6127609.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\solve"
2⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4724

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\38dce98044e8afcadf97c744b6127609.exe" "C:\Users\Admin\AppData\Roaming\solve\solve.exe"
2⤵
PID:4580

C:\Users\Admin\AppData\Roaming\solve\solve.exe
C:\Users\Admin\AppData\Roaming\solve\solve.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\solve\solve.exe" "C:\Users\Admin\AppData\Roaming\solve\solve.exe"
2⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3428

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\solve"
2⤵
PID:3388

C:\Users\Admin\AppData\Roaming\solve\solve.exe
C:\Users\Admin\AppData\Roaming\solve\solve.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 500
3⤵
- Program crash
PID:1608

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\solve"
2⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
2⤵
PID:2392

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\solve\solve.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2752

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\solve\solve.exe" "C:\Users\Admin\AppData\Roaming\solve\solve.exe"
2⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2432 -ip 2432
1⤵
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\solve.exe.log
Filesize
517B

MD5
3334ecde6536c93e216decce323cbe3e

SHA1
277f9a4e3a14c5dbe6b92fabac8b2050cab3629b

SHA256
494fcff7f11e2d7ea9abfbf91d6dea2595388ab4c45269e5fd74c82796d0a76a

SHA512
2830773d60aa9fe73c7e0a28502e198d931422b4a1df9a0b844d3952bb0aed7aa2b5da39e1adf145c9e6c2f75a33560da23c9b2b774fb38718bde066eafcad9d

Download Submit
C:\Users\Admin\AppData\Roaming\solve\solve.exe
Filesize
300.0MB

MD5
38dce98044e8afcadf97c744b6127609

SHA1
ad0abc09ebac76f306973a57bd7599987d981c9a

SHA256
ecc8200db1559efbe4adbc6fd105b7864fada00f4f44f70906668ec3fe211d94

SHA512
1e19088624a7335bcfcda4f2968510a9440fdc72f850e5be87b8d825029fb52a01cd2a060c07c4fd552557c80306a970bf780155f95bbdf2a5dd9bba19951888

Download Submit
C:\Users\Admin\AppData\Roaming\solve\solve.exe
Filesize
300.0MB

MD5
38dce98044e8afcadf97c744b6127609

SHA1
ad0abc09ebac76f306973a57bd7599987d981c9a

SHA256
ecc8200db1559efbe4adbc6fd105b7864fada00f4f44f70906668ec3fe211d94

SHA512
1e19088624a7335bcfcda4f2968510a9440fdc72f850e5be87b8d825029fb52a01cd2a060c07c4fd552557c80306a970bf780155f95bbdf2a5dd9bba19951888

Download Submit
C:\Users\Admin\AppData\Roaming\solve\solve.exe
Filesize
300.0MB

MD5
38dce98044e8afcadf97c744b6127609

SHA1
ad0abc09ebac76f306973a57bd7599987d981c9a

SHA256
ecc8200db1559efbe4adbc6fd105b7864fada00f4f44f70906668ec3fe211d94

SHA512
1e19088624a7335bcfcda4f2968510a9440fdc72f850e5be87b8d825029fb52a01cd2a060c07c4fd552557c80306a970bf780155f95bbdf2a5dd9bba19951888

Download Submit
memory/1568-133-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/1568-132-0x0000000000F40000-0x0000000000FFE000-memory.dmp

Filesize
760KB

Download
memory/1808-134-0x0000000000000000-mapping.dmp

Download
memory/1808-135-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1808-136-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1808-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1808-142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1808-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-171-0x0000000000000000-mapping.dmp

Download
memory/2432-157-0x0000000000000000-mapping.dmp

Download
memory/2432-164-0x0000000000890000-0x000000000090F000-memory.dmp

Filesize
508KB

Download
memory/2432-169-0x0000000000890000-0x000000000090F000-memory.dmp

Filesize
508KB

Download
memory/2500-153-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2500-146-0x0000000000000000-mapping.dmp

Download
memory/2500-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2500-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2752-173-0x0000000000000000-mapping.dmp

Download
memory/2864-152-0x0000000000000000-mapping.dmp

Download
memory/3388-150-0x0000000000000000-mapping.dmp

Download
memory/3428-154-0x0000000000000000-mapping.dmp

Download
memory/3480-138-0x0000000000000000-mapping.dmp

Download
memory/3688-172-0x0000000000000000-mapping.dmp

Download
memory/4064-170-0x0000000000000000-mapping.dmp

Download
memory/4312-137-0x0000000000000000-mapping.dmp

Download
memory/4580-140-0x0000000000000000-mapping.dmp

Download
memory/4696-151-0x0000000000000000-mapping.dmp

Download
memory/4724-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads