remcos | adc69083d0ebafc23b9960b44c46afd7888d08696d7a8823bf416045521e2a75

General

Target

651b0cae664c3d9e1da6d664bac308d3.exe
Size

420KB
MD5

651b0cae664c3d9e1da6d664bac308d3
SHA1

d2bda6cd6753ef92ef069983299b6bd545f7e00c
SHA256

adc69083d0ebafc23b9960b44c46afd7888d08696d7a8823bf416045521e2a75
SHA512

a6581c1bea1ad419bc82e161b17ebc6b4cf77ac0ad985ff4cb45b41706fe738a799834d10695737ea1ac222ef2eec096bd6e93817ec6a216d77d522380742c4c
SSDEEP

6144:59g5p/aJJL7XJAnY7jioSgBK0Ru115xTcYeEknZJJAVAe+:5gUJHX+nOjhBq1j2AWx

Score

10^/10

remcos agilenet persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4520-2-0x0000000003060000-0x0000000003076000-memory.dmp	agile_net
behavioral2/memory/1432-44-0x0000000000AD0000-0x0000000000AE6000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\progmfil = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Local\\ftermgr.exe"	reg.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4292 3428 WerFault.exe ftermgr.exe
4976 1432 WerFault.exe ftermgr.exe

pid	pid_target	process	target process
4292	3428	WerFault.exe	ftermgr.exe
4976	1432	WerFault.exe	ftermgr.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

651b0cae664c3d9e1da6d664bac308d3.exepowershell.exe

pid	process
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
4520	651b0cae664c3d9e1da6d664bac308d3.exe
3392	powershell.exe
3392	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

651b0cae664c3d9e1da6d664bac308d3.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4520 651b0cae664c3d9e1da6d664bac308d3.exe
Token: SeDebugPrivilege 3392 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4520	651b0cae664c3d9e1da6d664bac308d3.exe
Token: SeDebugPrivilege	3392	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

651b0cae664c3d9e1da6d664bac308d3.execmd.exe

description	pid	process	target process
PID 4520 wrote to memory of 2604	4520	651b0cae664c3d9e1da6d664bac308d3.exe	cmd.exe
PID 4520 wrote to memory of 2604	4520	651b0cae664c3d9e1da6d664bac308d3.exe	cmd.exe
PID 4520 wrote to memory of 2604	4520	651b0cae664c3d9e1da6d664bac308d3.exe	cmd.exe
PID 2604 wrote to memory of 5072	2604	cmd.exe	reg.exe
PID 2604 wrote to memory of 5072	2604	cmd.exe	reg.exe
PID 2604 wrote to memory of 5072	2604	cmd.exe	reg.exe
PID 4520 wrote to memory of 3392	4520	651b0cae664c3d9e1da6d664bac308d3.exe	powershell.exe
PID 4520 wrote to memory of 3392	4520	651b0cae664c3d9e1da6d664bac308d3.exe	powershell.exe
PID 4520 wrote to memory of 3392	4520	651b0cae664c3d9e1da6d664bac308d3.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\651b0cae664c3d9e1da6d664bac308d3.exe
"C:\Users\Admin\AppData\Local\Temp\651b0cae664c3d9e1da6d664bac308d3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v progmfil /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\ftermgr.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Local\ftermgr.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Users\Admin\AppData\Local\ftermgr.exe
"C:\Users\Admin\AppData\Local\ftermgr.exe"
3⤵
PID:1432

C:\Users\Admin\AppData\Local\ftermgr.exe
"C:\Users\Admin\AppData\Local\ftermgr.exe"
4⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 500
5⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1492
4⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v progmfil /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\ftermgr.exe"
1⤵
- Adds Run key to start application
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1432 -ip 1432
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3428 -ip 3428
1⤵
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1432-46-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1432-63-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1432-52-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1432-51-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/1432-50-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1432-49-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1432-48-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1432-44-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/1432-47-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3392-34-0x0000000005900000-0x0000000005C54000-memory.dmp

Filesize
3.3MB

Download
memory/3392-39-0x0000000006280000-0x00000000062A2000-memory.dmp

Filesize
136KB

Download
memory/3392-45-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/3392-37-0x0000000006E20000-0x0000000006EB6000-memory.dmp

Filesize
600KB

Download
memory/3392-38-0x0000000006230000-0x000000000624A000-memory.dmp

Filesize
104KB

Download
memory/3392-35-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

Filesize
120KB

Download
memory/3392-20-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/3392-21-0x0000000004E90000-0x00000000054B8000-memory.dmp

Filesize
6.2MB

Download
memory/3392-22-0x0000000004DF0000-0x0000000004E12000-memory.dmp

Filesize
136KB

Download
memory/3392-23-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/3392-24-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/3392-36-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

Filesize
304KB

Download
memory/3392-19-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/3392-18-0x00000000047B0000-0x00000000047E6000-memory.dmp

Filesize
216KB

Download
memory/3392-17-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/3428-62-0x0000000000590000-0x00000000005B0000-memory.dmp

Filesize
128KB

Download
memory/3428-54-0x0000000000590000-0x00000000005B0000-memory.dmp

Filesize
128KB

Download
memory/3428-58-0x0000000000590000-0x00000000005B0000-memory.dmp

Filesize
128KB

Download
memory/4520-9-0x0000000006A40000-0x0000000006A84000-memory.dmp

Filesize
272KB

Download
memory/4520-6-0x0000000005F90000-0x0000000006022000-memory.dmp

Filesize
584KB

Download
memory/4520-8-0x00000000061C0000-0x00000000061C8000-memory.dmp

Filesize
32KB

Download
memory/4520-7-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4520-11-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4520-1-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4520-5-0x0000000005E80000-0x0000000005E88000-memory.dmp

Filesize
32KB

Download
memory/4520-12-0x00000000061F0000-0x00000000061F8000-memory.dmp

Filesize
32KB

Download
memory/4520-4-0x0000000006440000-0x00000000069E4000-memory.dmp

Filesize
5.6MB

Download
memory/4520-3-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4520-0-0x0000000000D60000-0x0000000000DD0000-memory.dmp

Filesize
448KB

Download
memory/4520-14-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4520-10-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4520-16-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4520-2-0x0000000003060000-0x0000000003076000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads