remcos | bd335424bd78de85c90c0f87de564238face917f45868c9c4349dbc722903ba8

General

Target

bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
Size

4.8MB
MD5

9e5b7dcdcc4fc789d42965913198af90
SHA1

78d849497340207ca67025e361cfdcfbdd9c56d9
SHA256

bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9
SHA512

630c1f33909b8fec491bb68011ff5181b2f466124f86b7d0f307e23a22256340a9302b65238085b017cf2f8679008d1334fa35a97ebb273d8bbbadc421d7c742
SSDEEP

98304:OKa8qs77MPTgvAWlmyYSlEsLpu8bh+k6oDxxdfYu8LRznL1bDF0f6sbuQM9Fl0YF:OKf77MPTgIWlnY/sLpLNk4xdz8LRznln

Score

10^/10

remcos un2 rat rezer0

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

un2

C2

CEDSXoissLv2NiM.club:5762

PgqduOYXVZeNNam.xyz:5762

USd7O88wEMlUtX5.xyz:5762

pMfiryhhkiN98Px.xyz:5762

Se2Qwz60L2OxZNM.xyz:5762

GWtY0fiG58DCq6F.xyz:5762

maui16azsncpo97.info:5762

mj99puoba6c3gun.info:5762

tu90to3b4q4uqze.info:5762

cwt1u0vv8ic357ov.info:5762

agaoajz1hrvevre.info:5762

poykoqnl7jkj632.info:5762

cbiq1neygyp1wno.info:5762

BCBNcQ393Z3HPLQ.club:5762

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-18GB56
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/2284-4-0x0000000000A10000-0x0000000000A3E000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe

description	pid	process	target process
PID 2284 set thread context of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2708 schtasks.exe

pid	process
2708	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe

C:\Users\Admin\AppData\Local\Temp\bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
"C:\Users\Admin\AppData\Local\Temp\bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KSridAySHa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE3E.tmp"
2⤵
- Creates scheduled task(s)
PID:2708

C:\Users\Admin\AppData\Local\Temp\bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
"{path}"
2⤵
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDE3E.tmp
Filesize
1KB

MD5
3310e679745cd29efa2a9831a588e143

SHA1
50a3fb9758543ede948d751db3fcc6d3c603a39d

SHA256
b94a7d491d4adc2dfdba98a615c4ab37935c6dc86b0a49d7f9f1293d3410e483

SHA512
375c37917aed25b9b2f23c75a02e32ad3df8c1b18746e3fb0bf074631714f7edd0c151dac4d872bd76a96648344b6ee338f0f245721af05e58ac664a3245c79c

Download Submit
memory/2284-1-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-0-0x00000000011E0000-0x00000000016AE000-memory.dmp

Filesize
4.8MB

Download
memory/2284-2-0x00000000050E0000-0x0000000005120000-memory.dmp

Filesize
256KB

Download
memory/2284-3-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2284-4-0x0000000000A10000-0x0000000000A3E000-memory.dmp

Filesize
184KB

Download
memory/2284-5-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-6-0x00000000050E0000-0x0000000005120000-memory.dmp

Filesize
256KB

Download
memory/2284-28-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-32-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-35-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-38-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

description	pid	process	target process
PID 2284 wrote to memory of 2708	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	schtasks.exe
PID 2284 wrote to memory of 2708	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	schtasks.exe
PID 2284 wrote to memory of 2708	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	schtasks.exe
PID 2284 wrote to memory of 2708	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	schtasks.exe
PID 2284 wrote to memory of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
PID 2284 wrote to memory of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
PID 2284 wrote to memory of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
PID 2284 wrote to memory of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
PID 2284 wrote to memory of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
PID 2284 wrote to memory of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
PID 2284 wrote to memory of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
PID 2284 wrote to memory of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
PID 2284 wrote to memory of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
PID 2284 wrote to memory of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe
PID 2284 wrote to memory of 2636	2284	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe	bc4f7e44aa659f963b872c9961feaa67d810607fc851fa63c4c520d3119cdbc9.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads