remcos | a25bdcab7a38affd0798e5d674341724726c866e7cd7348b3d75bdb47ccca230

General

Target

c5YXaP80M6975Ej.exe
Size

891KB
MD5

52f0f8c78caa712137ac2f2528738b75
SHA1

73cb280eb0ae2d807b9a7a928ab4634d7376a0ed
SHA256

a25bdcab7a38affd0798e5d674341724726c866e7cd7348b3d75bdb47ccca230
SHA512

25a37723954cb765dab04b03837e792990a63d6fe752f354b24c7b78e601cd4cab3e0e1c53ecec633e7bcc7d6a72e105036d12a6bd607d080a6e7d4e47385446
SSDEEP

24576:ewB6NgL6qamjlzHxdOGzX74iJ2RqYYjfogCPm3:V6OLPaMrxd374iJxa

Score

10^/10

remcos host rat

Malware Config

Extracted

Family

remcos

Botnet

Host

C2

37.120.235.114:2269

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FCA9SV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

c5YXaP80M6975Ej.exe

description pid process target process

PID 2320 set thread context of 2896 2320 c5YXaP80M6975Ej.exe c5YXaP80M6975Ej.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2684 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

c5YXaP80M6975Ej.exepowershell.exe

pid process

2320 c5YXaP80M6975Ej.exe
2320 c5YXaP80M6975Ej.exe
2608 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c5YXaP80M6975Ej.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2320 c5YXaP80M6975Ej.exe
Token: SeDebugPrivilege 2608 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c5YXaP80M6975Ej.exe

pid process

2896 c5YXaP80M6975Ej.exe

description	pid	process	target process
PID 2320 set thread context of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe

pid	process
2684	schtasks.exe

pid	process
2320	c5YXaP80M6975Ej.exe
2320	c5YXaP80M6975Ej.exe
2608	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2320	c5YXaP80M6975Ej.exe
Token: SeDebugPrivilege	2608	powershell.exe

pid	process
2896	c5YXaP80M6975Ej.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

c5YXaP80M6975Ej.exe

description	pid	process	target process
PID 2320 wrote to memory of 2608	2320	c5YXaP80M6975Ej.exe	powershell.exe
PID 2320 wrote to memory of 2608	2320	c5YXaP80M6975Ej.exe	powershell.exe
PID 2320 wrote to memory of 2608	2320	c5YXaP80M6975Ej.exe	powershell.exe
PID 2320 wrote to memory of 2608	2320	c5YXaP80M6975Ej.exe	powershell.exe
PID 2320 wrote to memory of 2684	2320	c5YXaP80M6975Ej.exe	schtasks.exe
PID 2320 wrote to memory of 2684	2320	c5YXaP80M6975Ej.exe	schtasks.exe
PID 2320 wrote to memory of 2684	2320	c5YXaP80M6975Ej.exe	schtasks.exe
PID 2320 wrote to memory of 2684	2320	c5YXaP80M6975Ej.exe	schtasks.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 2320 wrote to memory of 2896	2320	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe

C:\Users\Admin\AppData\Local\Temp\c5YXaP80M6975Ej.exe
"C:\Users\Admin\AppData\Local\Temp\c5YXaP80M6975Ej.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sirYRCGgC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sirYRCGgC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F70.tmp"
2⤵
- Creates scheduled task(s)
PID:2684

C:\Users\Admin\AppData\Local\Temp\c5YXaP80M6975Ej.exe
"C:\Users\Admin\AppData\Local\Temp\c5YXaP80M6975Ej.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
d61f9d73ccf21106a9a4785717a2a1f0

SHA1
7dae800e3073f2a59268227148315aa45755524d

SHA256
4d6c9cd6fe75ec7479543267a5eadaf9bd62b992daa025c2c4ba3c7dc60497c8

SHA512
6c6263deed871184a47b8ab5f416f326b0f60575cf3ada77c27847898e98ecfa27ca4a868b453d23e1de3cede8d40b6cce341e562cd6bb3c4270dfd50a5429e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F70.tmp
Filesize
1KB

MD5
255dd53e5d6fc2a02852f9f88a6d8167

SHA1
e2c3c1db08d21a732549a922ede1e6dcab2d5e9b

SHA256
568b0081e3c8b7faeb686715463fa8e8203c8f7406633f492295ce656f29ea76

SHA512
90592f02fba3e1bb797b59e2f933d9ace0c79e0fa2b74c0b54e3fb08f07756bd894cf662efc5e99a3aae5a0b05aec2f7031dd5af651c336c7d35c57297dd0033

Download Submit
memory/2320-6-0x0000000005450000-0x0000000005510000-memory.dmp

Filesize
768KB

Download
memory/2320-3-0x0000000000800000-0x0000000000816000-memory.dmp

Filesize
88KB

Download
memory/2320-4-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2320-5-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/2320-30-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-2-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/2320-1-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-0-0x0000000000F80000-0x0000000001064000-memory.dmp

Filesize
912KB

Download
memory/2608-40-0x000000006E500000-0x000000006EAAB000-memory.dmp

Filesize
5.7MB

Download
memory/2608-39-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/2608-31-0x000000006E500000-0x000000006EAAB000-memory.dmp

Filesize
5.7MB

Download
memory/2608-35-0x000000006E500000-0x000000006EAAB000-memory.dmp

Filesize
5.7MB

Download
memory/2608-33-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/2896-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2896-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2896-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads