remcos | 75e017e742b2506cdda2a132759075c7b187ca941df606b34116d0452ef04fd0

General

Target

20230921-8569342.exe
Size

1.0MB
MD5

b4a65efc3640455ae3b284515d884ef7
SHA1

36bc08893282e08210bafd666d09c5f7f2a81e68
SHA256

75e017e742b2506cdda2a132759075c7b187ca941df606b34116d0452ef04fd0
SHA512

0bb2831a3f27ecdb8f8cc33379bba5017ed462bcbd66b5d204c6837daa73cd19c7d8bc4737ba00ba488d327ebc7b0c87213e5f70e87a1fc69b55f6c98239c7d0
SSDEEP

24576:6RWQYAE36CIx5yD7cyR5JMwUlkR9tWYk4Sr8sBWRvooPRle:cWQ3nxkDZ52pl3Yk4SAiqvjPC

Score

10^/10

remcos 888888 rat

Malware Config

Extracted

Family

remcos

Botnet

888888

C2

moremoney.myftp.org:6609

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EUI58J
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
3088	Phtos.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3948 set thread context of 4308	3948	20230921-8569342.exe	87

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2840	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 4308	3948	20230921-8569342.exe	87
PID 3948 wrote to memory of 3976	3948	20230921-8569342.exe	88
PID 3948 wrote to memory of 3976	3948	20230921-8569342.exe	88
PID 3948 wrote to memory of 3976	3948	20230921-8569342.exe	88
PID 3948 wrote to memory of 1968	3948	20230921-8569342.exe	89
PID 3948 wrote to memory of 1968	3948	20230921-8569342.exe	89
PID 3948 wrote to memory of 1968	3948	20230921-8569342.exe	89
PID 3948 wrote to memory of 1652	3948	20230921-8569342.exe	91
PID 3948 wrote to memory of 1652	3948	20230921-8569342.exe	91
PID 3948 wrote to memory of 1652	3948	20230921-8569342.exe	91
PID 1968 wrote to memory of 2840	1968	cmd.exe	94
PID 1968 wrote to memory of 2840	1968	cmd.exe	94
PID 1968 wrote to memory of 2840	1968	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\20230921-8569342.exe
"C:\Users\Admin\AppData\Local\Temp\20230921-8569342.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4308
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Local\Temp\Phtos"
  2⤵
  PID:3976
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Phtos\Phtos.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Phtos\Phtos.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\20230921-8569342.exe" "C:\Users\Admin\AppData\Local\Temp\Phtos\Phtos.exe"
  2⤵
  PID:1652

C:\Users\Admin\AppData\Local\Temp\Phtos\Phtos.exe
C:\Users\Admin\AppData\Local\Temp\Phtos\Phtos.exe
1⤵
- Executes dropped EXE
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Phtos\Phtos.exe

Filesize
1.0MB

MD5
b4a65efc3640455ae3b284515d884ef7

SHA1
36bc08893282e08210bafd666d09c5f7f2a81e68

SHA256
75e017e742b2506cdda2a132759075c7b187ca941df606b34116d0452ef04fd0

SHA512
0bb2831a3f27ecdb8f8cc33379bba5017ed462bcbd66b5d204c6837daa73cd19c7d8bc4737ba00ba488d327ebc7b0c87213e5f70e87a1fc69b55f6c98239c7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Phtos\Phtos.exe

Filesize
1024KB

MD5
56bff450dcb354d2897ff9ea2bd35021

SHA1
bfc3044ecb5e475f2c709db8aa394e3d1c61482a

SHA256
b721284a1021cdbf4b1eed1dc2050fb586f13cdc1f10e0494594c1ed6c171d51

SHA512
3100a57a3742360a9233165a47b68837c78889c0a22ce116c230cf0b40d8323906befa7f9d836fcd52f90070784fab081a3a94a35e9a25bcbc35a562f1b9f60c

Download Submit
memory/3088-24-0x0000000073F50000-0x0000000074700000-memory.dmp

Filesize
7.7MB

Download
memory/3948-0-0x0000000000E60000-0x0000000000F68000-memory.dmp

Filesize
1.0MB

Download
memory/3948-1-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3948-2-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3948-3-0x00000000058E0000-0x00000000059D6000-memory.dmp

Filesize
984KB

Download
memory/3948-8-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4308-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4308-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads