remcos | 9f3ecaeac8bae7c4e01a3e84e4d4d754b7b6f1920911bea65e7325faa76de078

General

Target

4e7c541d76152a9c82d5769860970018.exe
Size

1.4MB
MD5

4e7c541d76152a9c82d5769860970018
SHA1

1d0a791492c042502172a0d48d926e75587d411e
SHA256

9f3ecaeac8bae7c4e01a3e84e4d4d754b7b6f1920911bea65e7325faa76de078
SHA512

54d582b3e3932bcb8c52728cb2cd4284577696cbddcf07a570a6ca536808ca0b9af5fa0187dcf15769e36c3920c0bd0d032bd657210683bae78bf8f8debf02ce
SSDEEP

24576:S6yJMY9UFoRDhkeYM1jJR97zUbia9JVe0hs5WfBiERJchVML1bT6E7:VY9UORVOM1jJHzaiape0hsABFRJch6Lv

Score

10^/10

remcos graced rat rezer0 upx

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

GRACED

C2

thankyoulord.ddns.net:5050

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-0S5XD9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/2276-9-0x0000000000B30000-0x0000000000B5C000-memory.dmp	rezer0

Executes dropped EXE 1 IoCs

pid	Process
2276	test.exe

Loads dropped DLL 1 IoCs

pid	Process
2656	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-0-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2644-10-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2644-28-0x0000000000400000-0x00000000006F1000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 2800	2276	test.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2276	test.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	test.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2656	2644	4e7c541d76152a9c82d5769860970018.exe	17
PID 2644 wrote to memory of 2656	2644	4e7c541d76152a9c82d5769860970018.exe	17
PID 2644 wrote to memory of 2656	2644	4e7c541d76152a9c82d5769860970018.exe	17
PID 2644 wrote to memory of 2656	2644	4e7c541d76152a9c82d5769860970018.exe	17
PID 2656 wrote to memory of 2276	2656	cmd.exe	18
PID 2656 wrote to memory of 2276	2656	cmd.exe	18
PID 2656 wrote to memory of 2276	2656	cmd.exe	18
PID 2656 wrote to memory of 2276	2656	cmd.exe	18
PID 2276 wrote to memory of 2952	2276	test.exe	31
PID 2276 wrote to memory of 2952	2276	test.exe	31
PID 2276 wrote to memory of 2952	2276	test.exe	31
PID 2276 wrote to memory of 2952	2276	test.exe	31
PID 2276 wrote to memory of 2800	2276	test.exe	33
PID 2276 wrote to memory of 2800	2276	test.exe	33
PID 2276 wrote to memory of 2800	2276	test.exe	33
PID 2276 wrote to memory of 2800	2276	test.exe	33
PID 2276 wrote to memory of 2800	2276	test.exe	33
PID 2276 wrote to memory of 2800	2276	test.exe	33
PID 2276 wrote to memory of 2800	2276	test.exe	33
PID 2276 wrote to memory of 2800	2276	test.exe	33
PID 2276 wrote to memory of 2800	2276	test.exe	33
PID 2276 wrote to memory of 2800	2276	test.exe	33
PID 2276 wrote to memory of 2800	2276	test.exe	33

C:\Users\Admin\AppData\Local\Temp\4e7c541d76152a9c82d5769860970018.exe
"C:\Users\Admin\AppData\Local\Temp\4e7c541d76152a9c82d5769860970018.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vXAlJeWc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp"
      4⤵
      Creates scheduled task(s)
      PID:2952
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "{path}"
      4⤵
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
96KB

MD5
66e444ad618f588c0bc398c61473aa2b

SHA1
5d234d14f2ed1209e064ba8a76d393b5fe905bfe

SHA256
65b7957f8ed88c8a577180617429d82147a0294452431024ed6f121c1bfd6fc0

SHA512
e0422f36aff078aff8c308e1211eb74714acef1eab0f79993ab94fa27cd49e957b3f6cb993655bf59513904d21b52fb6785a1d2e08f63fb7002aa83d70c243cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
61KB

MD5
8766c1d8dbb3cdb62a0450085a72b7be

SHA1
ebba99a4d291d6b188b0a10b25bb3b249bfb6185

SHA256
e46e67fb64bfd3356b08b853f290e66ea18d6e272cc86a09ced4b07ddf1fa2e4

SHA512
f688e2715b7e305d38502610a94d587a3b8d34c4245c5424d32b433288efe6f3ef2e724942d53636760296586382f1521b1da28d1c5b9829c3eae3faeb05da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp

Filesize
1KB

MD5
81bd8ab36b5bada1a66e1d6aec930c19

SHA1
4d6a9e17edacbd058dc7780f6e90476baec51485

SHA256
eebf931af3ee5475b0f680fa30650fdc7be47647e9dca05371de7cc0d142d153

SHA512
ba308dc09c4ab636c7f6ff004ba18d0f448064c8220a3a8d2d595c9d893bb9f865525ae7f4b31978b699c3edbfce9439b6adfffb9a76f6f9a1279ac1e4301041

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe

Filesize
70KB

MD5
9e4bc2530f4131f83f6f2d2167b4f5dc

SHA1
f69fe17b11a2cd2b10b31614130a882056395f77

SHA256
460189028f8aeeef9e7d58227d9e1790e337677f492d88f6ca8ddd7fec994954

SHA512
bb1770e5c5c7911048f11e29eccbcc5d99095fe2ad70040e1f2f64cc45d27b7ba9b9d8199d73d44ea73944c726aa5dcd51a388380651440a5a8bb5eb5bda7351

Download Submit
memory/2276-26-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-5-0x0000000000FF0000-0x0000000001048000-memory.dmp

Filesize
352KB

Download
memory/2276-6-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-7-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/2276-8-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2276-9-0x0000000000B30000-0x0000000000B5C000-memory.dmp

Filesize
176KB

Download
memory/2644-0-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2644-10-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2644-28-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2800-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-32-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-38-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads