remcos | 497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714

General

Target

497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe
Size

114KB
MD5

53d4ab9c429de02b7efc94d7be3e6059
SHA1

2dba6ac014c7115407fbd56e6367c3f57679404f
SHA256

497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714
SHA512

a19570164b7bc47c6975b93835b408c80f7fed8a9874d398cf0227e2dd2c033d4e31f0bb332c800bab0f60073eec084a0bebac4abc6ba069aa3547c27c9622cb
SSDEEP

3072:1toI3eJY6z2cQEjbCTb6TbEVDR2fxvPXj5:1aJJ9zpblEVDsvj5

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

pekonomia.duckdns.org:30861

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B0VP4N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

H2.exe

pid process

1400 H2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

H2.exe

description pid process target process

PID 1400 set thread context of 2264 1400 H2.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe

description pid process

Token: SeDebugPrivilege 4348 497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe

pid	process
1400	H2.exe

description	pid	process	target process
PID 1400 set thread context of 2264	1400	H2.exe	aspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	4348	497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.execmd.exeH2.exe

description	pid	process	target process
PID 4348 wrote to memory of 1400	4348	497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe	H2.exe
PID 4348 wrote to memory of 1400	4348	497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe	H2.exe
PID 4348 wrote to memory of 1776	4348	497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe	cmd.exe
PID 4348 wrote to memory of 1776	4348	497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe	cmd.exe
PID 1776 wrote to memory of 3884	1776	cmd.exe	choice.exe
PID 1776 wrote to memory of 3884	1776	cmd.exe	choice.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2264	1400	H2.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe
"C:\Users\Admin\AppData\Local\Temp\497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:2264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 1
3⤵
PID:3884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exe
Filesize
590KB

MD5
200f70cceffbcc69815d125f1ca40fd8

SHA1
137dc1cd3b2b5662e93595a348115cef942ff394

SHA256
617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd

SHA512
a9a6f74090e777a027727f4a72c2b6b6235e73bfa07c1db78d8f7f912c9c7d92878b309de6d5413a373a19a3a2a69c2418194efd597a670b5b40fdba0954cafe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exe
Filesize
590KB

MD5
200f70cceffbcc69815d125f1ca40fd8

SHA1
137dc1cd3b2b5662e93595a348115cef942ff394

SHA256
617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd

SHA512
a9a6f74090e777a027727f4a72c2b6b6235e73bfa07c1db78d8f7f912c9c7d92878b309de6d5413a373a19a3a2a69c2418194efd597a670b5b40fdba0954cafe

Download Submit
memory/1400-124-0x000001C49CB40000-0x000001C49CBD2000-memory.dmp

Filesize
584KB

Download
memory/1400-125-0x000001C49CEF0000-0x000001C49CEFC000-memory.dmp

Filesize
48KB

Download
memory/2264-131-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-134-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-126-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-130-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-146-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-135-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-137-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-138-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-139-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-140-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2264-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4348-117-0x00000241EA910000-0x00000241EA920000-memory.dmp

Filesize
64KB

Download
memory/4348-116-0x00000241E81E0000-0x00000241E81FC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing