remcos | a47783e77972a2cd6711b618b3dd3a57544e6c225e37d44961e967b2530e63da

General

Target

b9df9c09f708b886eee75c536d7e002a.exe
Size

1.4MB
MD5

b9df9c09f708b886eee75c536d7e002a
SHA1

f47797d0b3ed574db1ae1a3c7820cfeee6d21d3f
SHA256

a47783e77972a2cd6711b618b3dd3a57544e6c225e37d44961e967b2530e63da
SHA512

156c61f2a7d9108b42491d5a2d457be36913faff6ac23044372120e481beb32c08a4c4f121067b2b58f0485649ddd8f396f2fdc89db30c4772222adb2b6c6a86
SSDEEP

24576:n6yJMY9UFoRDhkeYM1jJR97zUbia9JVe0hs5WfBiERJchVML1bT6ER:6Y9UORVOM1jJHzaiape0hsABFRJch6Ll

Score

10^/10

remcos graced rat rezer0 upx

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

GRACED

C2

thankyoulord.ddns.net:5050

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-0S5XD9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/2844-9-0x0000000001F90000-0x0000000001FBC000-memory.dmp	rezer0

Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

2844 test.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2816 cmd.exe

pid	process
2844	test.exe

pid	process
2816	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1968-0-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/1968-10-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/1968-35-0x0000000000400000-0x00000000006F1000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

test.exe

description pid process target process

PID 2844 set thread context of 2720 2844 test.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2264 schtasks.exe

description	pid	process	target process
PID 2844 set thread context of 2720	2844	test.exe	vbc.exe

pid	process
2264	schtasks.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

b9df9c09f708b886eee75c536d7e002a.execmd.exetest.exe

description	pid	process	target process
PID 1968 wrote to memory of 2816	1968	b9df9c09f708b886eee75c536d7e002a.exe	cmd.exe
PID 1968 wrote to memory of 2816	1968	b9df9c09f708b886eee75c536d7e002a.exe	cmd.exe
PID 1968 wrote to memory of 2816	1968	b9df9c09f708b886eee75c536d7e002a.exe	cmd.exe
PID 1968 wrote to memory of 2816	1968	b9df9c09f708b886eee75c536d7e002a.exe	cmd.exe
PID 2816 wrote to memory of 2844	2816	cmd.exe	test.exe
PID 2816 wrote to memory of 2844	2816	cmd.exe	test.exe
PID 2816 wrote to memory of 2844	2816	cmd.exe	test.exe
PID 2816 wrote to memory of 2844	2816	cmd.exe	test.exe
PID 2844 wrote to memory of 2264	2844	test.exe	schtasks.exe
PID 2844 wrote to memory of 2264	2844	test.exe	schtasks.exe
PID 2844 wrote to memory of 2264	2844	test.exe	schtasks.exe
PID 2844 wrote to memory of 2264	2844	test.exe	schtasks.exe
PID 2844 wrote to memory of 2720	2844	test.exe	vbc.exe
PID 2844 wrote to memory of 2720	2844	test.exe	vbc.exe
PID 2844 wrote to memory of 2720	2844	test.exe	vbc.exe
PID 2844 wrote to memory of 2720	2844	test.exe	vbc.exe
PID 2844 wrote to memory of 2720	2844	test.exe	vbc.exe
PID 2844 wrote to memory of 2720	2844	test.exe	vbc.exe
PID 2844 wrote to memory of 2720	2844	test.exe	vbc.exe
PID 2844 wrote to memory of 2720	2844	test.exe	vbc.exe
PID 2844 wrote to memory of 2720	2844	test.exe	vbc.exe
PID 2844 wrote to memory of 2720	2844	test.exe	vbc.exe
PID 2844 wrote to memory of 2720	2844	test.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\b9df9c09f708b886eee75c536d7e002a.exe
"C:\Users\Admin\AppData\Local\Temp\b9df9c09f708b886eee75c536d7e002a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vXAlJeWc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp759D.tmp"
4⤵
- Creates scheduled task(s)
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp759D.tmp
Filesize
1KB

MD5
81bd8ab36b5bada1a66e1d6aec930c19

SHA1
4d6a9e17edacbd058dc7780f6e90476baec51485

SHA256
eebf931af3ee5475b0f680fa30650fdc7be47647e9dca05371de7cc0d142d153

SHA512
ba308dc09c4ab636c7f6ff004ba18d0f448064c8220a3a8d2d595c9d893bb9f865525ae7f4b31978b699c3edbfce9439b6adfffb9a76f6f9a1279ac1e4301041

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe
Filesize
92KB

MD5
54d4cdd9600aca32e4d54e5b113396ce

SHA1
84473a9c603f2100e66a3d7cfe00053ec0e47032

SHA256
2c6b1f31bf7d8e101ee2abeebf10715ad64dbc2e63ace21d52a3d93dc5984611

SHA512
d80aeb4100c76b17e8aa6ebb7b1db0a943aadfee2d647f609e1bc7659488c45ef259c3308e49e70faad4d2ea1871fa110d2378421ce4213265ee4850b97267a7

Download Submit
memory/1968-10-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/1968-0-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/1968-35-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2720-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-38-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2844-5-0x0000000000040000-0x0000000000098000-memory.dmp

Filesize
352KB

Download
memory/2844-9-0x0000000001F90000-0x0000000001FBC000-memory.dmp

Filesize
176KB

Download
memory/2844-32-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-6-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-7-0x0000000004C50000-0x0000000004C90000-memory.dmp

Filesize
256KB

Download
memory/2844-8-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads