remcos | e897d756722140b424ac02aab14733d05074d5c40f019c6420bc2689dccd6915

General

Target

ff044509cd6eba3681d1f548574b5d7a.exe
Size

420KB
MD5

ff044509cd6eba3681d1f548574b5d7a
SHA1

d83b30d4bf145fcf8053e190ab9a0af0577d4cee
SHA256

e897d756722140b424ac02aab14733d05074d5c40f019c6420bc2689dccd6915
SHA512

ae1bdc80b0cb1be8261a36fd194620b7efd6c391b508f05d5351c9a0b620f3066342ba4a6543821ed9adbb742a29936b925036f321993c3dde151a08cc5af7e0
SSDEEP

6144:d9g5p/aJJL7XJAnY7jioSgBK0Ru115xTcYeEknZJJAVAe3:dgUJHX+nOjhBq1j2AWE

Score

10^/10

remcos agilenet persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4772-2-0x0000000002970000-0x0000000002986000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\progmfil = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Local\\ftermgr.exe"	reg.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

ff044509cd6eba3681d1f548574b5d7a.exepowershell.exe

pid	process
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
4772	ff044509cd6eba3681d1f548574b5d7a.exe
5060	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ff044509cd6eba3681d1f548574b5d7a.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4772 ff044509cd6eba3681d1f548574b5d7a.exe
Token: SeDebugPrivilege 5060 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4772	ff044509cd6eba3681d1f548574b5d7a.exe
Token: SeDebugPrivilege	5060	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ff044509cd6eba3681d1f548574b5d7a.execmd.exe

description	pid	process	target process
PID 4772 wrote to memory of 4836	4772	ff044509cd6eba3681d1f548574b5d7a.exe	cmd.exe
PID 4772 wrote to memory of 4836	4772	ff044509cd6eba3681d1f548574b5d7a.exe	cmd.exe
PID 4772 wrote to memory of 4836	4772	ff044509cd6eba3681d1f548574b5d7a.exe	cmd.exe
PID 4836 wrote to memory of 5080	4836	cmd.exe	reg.exe
PID 4836 wrote to memory of 5080	4836	cmd.exe	reg.exe
PID 4836 wrote to memory of 5080	4836	cmd.exe	reg.exe
PID 4772 wrote to memory of 5060	4772	ff044509cd6eba3681d1f548574b5d7a.exe	powershell.exe
PID 4772 wrote to memory of 5060	4772	ff044509cd6eba3681d1f548574b5d7a.exe	powershell.exe
PID 4772 wrote to memory of 5060	4772	ff044509cd6eba3681d1f548574b5d7a.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ff044509cd6eba3681d1f548574b5d7a.exe
"C:\Users\Admin\AppData\Local\Temp\ff044509cd6eba3681d1f548574b5d7a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v progmfil /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\ftermgr.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v progmfil /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\ftermgr.exe"
3⤵
- Adds Run key to start application
PID:5080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Local\ftermgr.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4772-10-0x00000000058A0000-0x00000000058A8000-memory.dmp

Filesize
32KB

Download
memory/4772-7-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/4772-0-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4772-3-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4772-4-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4772-5-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/4772-6-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/4772-19-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4772-8-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4772-12-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4772-2-0x0000000002970000-0x0000000002986000-memory.dmp

Filesize
88KB

Download
memory/4772-1-0x0000000000520000-0x0000000000590000-memory.dmp

Filesize
448KB

Download
memory/4772-9-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4772-13-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/4772-11-0x0000000005AB0000-0x0000000005AF4000-memory.dmp

Filesize
272KB

Download
memory/5060-24-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/5060-18-0x0000000005220000-0x0000000005256000-memory.dmp

Filesize
216KB

Download
memory/5060-17-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/5060-20-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/5060-21-0x00000000058D0000-0x0000000005EF8000-memory.dmp

Filesize
6.2MB

Download
memory/5060-22-0x0000000005770000-0x0000000005792000-memory.dmp

Filesize
136KB

Download
memory/5060-23-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/5060-16-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads