remcos | c0e2cb42b9025ace057d448e5013b144f0ac62e544b25aa866726e67a7a24153

General

Target

45d14a8a0c496e2a406fccc1f11d8e7c.exe
Size

334KB
MD5

45d14a8a0c496e2a406fccc1f11d8e7c
SHA1

9334c3762dee31d460829a1252f47d43b9551b17
SHA256

c0e2cb42b9025ace057d448e5013b144f0ac62e544b25aa866726e67a7a24153
SHA512

c0bc53653cffdc8f681fde6b4e7baf267b0917d10b1034e5ccf8e4ddfec5e8b4d045df33fe7a345fb3dd681787dbe6e962f238fba1a66e76f4bc3940b802324c
SSDEEP

3072:WzQgBOSOm06uNDTnFIcqvPwl+n0lLPjpymmQfRZ8XVMHluaqLIQHRhxsllD7g5Z6:WhduBTnFoYl+0ZPjpyb+Ya3gmyx4

Score

10^/10

remcos host rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

212.83.46.23:3110

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sfofkbucbh
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 2712	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	25

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2680	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	24
PID 2360 wrote to memory of 2680	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	24
PID 2360 wrote to memory of 2680	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	24
PID 2360 wrote to memory of 2680	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	24
PID 2360 wrote to memory of 2712	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	25
PID 2360 wrote to memory of 2712	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	25
PID 2360 wrote to memory of 2712	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	25
PID 2360 wrote to memory of 2712	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	25
PID 2360 wrote to memory of 2712	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	25
PID 2360 wrote to memory of 2712	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	25
PID 2360 wrote to memory of 2712	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	25
PID 2360 wrote to memory of 2712	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	25
PID 2360 wrote to memory of 2712	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	25
PID 2360 wrote to memory of 2712	2360	45d14a8a0c496e2a406fccc1f11d8e7c.exe	25

C:\Users\Admin\AppData\Local\Temp\45d14a8a0c496e2a406fccc1f11d8e7c.exe
"C:\Users\Admin\AppData\Local\Temp\45d14a8a0c496e2a406fccc1f11d8e7c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fbgRPALWLbAhN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C38.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\45d14a8a0c496e2a406fccc1f11d8e7c.exe
  "{path}"
  2⤵
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-25-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-2-0x00000000022A0000-0x00000000022E0000-memory.dmp

Filesize
256KB

Download
memory/2360-1-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-3-0x00000000022A0000-0x00000000022E0000-memory.dmp

Filesize
256KB

Download
memory/2360-0-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2712-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-15-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-13-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-9-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads