remcos | 394a5f08dcda3e2a0112f4019653139676389637cb465509c6d644a5eed0f45a

General

Target

5fcda7ba7ec8e67ff814d484a57d62ab.exe
Size

1.4MB
MD5

5fcda7ba7ec8e67ff814d484a57d62ab
SHA1

d20c5e1a365838ca57e62f023e66abcfa62fe798
SHA256

394a5f08dcda3e2a0112f4019653139676389637cb465509c6d644a5eed0f45a
SHA512

09d335abac66d0b382165de007a5466228c1725fa7a90f0da08aae054a1a57a0370f32f16d943b61d0e17fbe6e9939fe671f90525b79b57415519e6cc7970c5b
SSDEEP

24576:k6yJMY9UFoRDhkeYM1jJR97zUbia9JVe0hs5WfBiERJchVML1bT6E7:rY9UORVOM1jJHzaiape0hsABFRJch6Lv

Score

10^/10

remcos graced rat rezer0 upx

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

GRACED

C2

thankyoulord.ddns.net:5050

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-0S5XD9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/2384-9-0x0000000004120000-0x000000000414C000-memory.dmp	rezer0

Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

2384 test.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2652 cmd.exe

pid	process
2384	test.exe

pid	process
2652	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1504-1-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/1504-10-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/1504-30-0x0000000000400000-0x00000000006F1000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

test.exe

description pid process target process

PID 2384 set thread context of 2972 2384 test.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2568 schtasks.exe

description	pid	process	target process
PID 2384 set thread context of 2972	2384	test.exe	vbc.exe

pid	process
2568	schtasks.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

5fcda7ba7ec8e67ff814d484a57d62ab.execmd.exetest.exe

description	pid	process	target process
PID 1504 wrote to memory of 2652	1504	5fcda7ba7ec8e67ff814d484a57d62ab.exe	cmd.exe
PID 1504 wrote to memory of 2652	1504	5fcda7ba7ec8e67ff814d484a57d62ab.exe	cmd.exe
PID 1504 wrote to memory of 2652	1504	5fcda7ba7ec8e67ff814d484a57d62ab.exe	cmd.exe
PID 1504 wrote to memory of 2652	1504	5fcda7ba7ec8e67ff814d484a57d62ab.exe	cmd.exe
PID 2652 wrote to memory of 2384	2652	cmd.exe	test.exe
PID 2652 wrote to memory of 2384	2652	cmd.exe	test.exe
PID 2652 wrote to memory of 2384	2652	cmd.exe	test.exe
PID 2652 wrote to memory of 2384	2652	cmd.exe	test.exe
PID 2384 wrote to memory of 2568	2384	test.exe	schtasks.exe
PID 2384 wrote to memory of 2568	2384	test.exe	schtasks.exe
PID 2384 wrote to memory of 2568	2384	test.exe	schtasks.exe
PID 2384 wrote to memory of 2568	2384	test.exe	schtasks.exe
PID 2384 wrote to memory of 2972	2384	test.exe	vbc.exe
PID 2384 wrote to memory of 2972	2384	test.exe	vbc.exe
PID 2384 wrote to memory of 2972	2384	test.exe	vbc.exe
PID 2384 wrote to memory of 2972	2384	test.exe	vbc.exe
PID 2384 wrote to memory of 2972	2384	test.exe	vbc.exe
PID 2384 wrote to memory of 2972	2384	test.exe	vbc.exe
PID 2384 wrote to memory of 2972	2384	test.exe	vbc.exe
PID 2384 wrote to memory of 2972	2384	test.exe	vbc.exe
PID 2384 wrote to memory of 2972	2384	test.exe	vbc.exe
PID 2384 wrote to memory of 2972	2384	test.exe	vbc.exe
PID 2384 wrote to memory of 2972	2384	test.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\5fcda7ba7ec8e67ff814d484a57d62ab.exe
"C:\Users\Admin\AppData\Local\Temp\5fcda7ba7ec8e67ff814d484a57d62ab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vXAlJeWc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7FF9.tmp"
4⤵
- Creates scheduled task(s)
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
127KB

MD5
58412ccb4170e7960d33aaac7891b151

SHA1
dcdccc6800a047f08437fbf7ebf9086005348dac

SHA256
62375e5dbb8abbf7452e8037453e5519a24a851540d4e486a595f35617102c6a

SHA512
a197cd082ca849904763a41cdc996b4c5fe82a81b559277facbbeb051f9cd5284d6c2e254ccbc60557c9e0fbbde5da8d5b89767ae2a7d8c3fc4a1565471094b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
212KB

MD5
efb76b02afb1ab78a86f2de93ebcb651

SHA1
c82bc65bf1cac79639eb9fe47257404e3dcdba15

SHA256
9ceb4d857a0935fb86ecf42d4f0f7d9afe91e167c3659daa6892cc92f69a6901

SHA512
630771e18519c0d6ba42be32bcf336ca01f9defe025d891b38a8bba5a17d57870560cf7b484f0421edf9ca2f1711e53cf95450c3d51936ec24d62bdf30500015

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FF9.tmp
Filesize
1KB

MD5
81bd8ab36b5bada1a66e1d6aec930c19

SHA1
4d6a9e17edacbd058dc7780f6e90476baec51485

SHA256
eebf931af3ee5475b0f680fa30650fdc7be47647e9dca05371de7cc0d142d153

SHA512
ba308dc09c4ab636c7f6ff004ba18d0f448064c8220a3a8d2d595c9d893bb9f865525ae7f4b31978b699c3edbfce9439b6adfffb9a76f6f9a1279ac1e4301041

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe
Filesize
177KB

MD5
5a7479385bfb5a45a67daae65b4b7c58

SHA1
deb62cdf29eca5524c4061e8b55d160b5dcb1a44

SHA256
ae9838becf3f3e5e251f826c18cb45b19b8dc1814af1d414b60b171be1cd642d

SHA512
4c07b866c046753c7bc271140ec8f7f730044aa90a3305d7210833ac3b27cac1ad182959343a185d98d72810f39db179646f38825ec93569d4b045de7a8fdd99

Download Submit
memory/1504-10-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/1504-1-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/1504-30-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2384-5-0x00000000000A0000-0x00000000000F8000-memory.dmp

Filesize
352KB

Download
memory/2384-7-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/2384-8-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/2384-9-0x0000000004120000-0x000000000414C000-memory.dmp

Filesize
176KB

Download
memory/2384-6-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2384-29-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2972-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-32-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-35-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads