remcos | f57baf38587fe0245e396c9b57664994be9a6f92e96d959fb251a6b7f00ddad5

General

Target

17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
Size

288KB
MD5

17aabf6d007520c94f8df8196c8066b6
SHA1

941456ee84371a09d11e4b15f3887f660e260d34
SHA256

f57baf38587fe0245e396c9b57664994be9a6f92e96d959fb251a6b7f00ddad5
SHA512

b78e80fe53080cfee4e75ac481f199243f68a6c662ff691604247fc06ae306ce65680b4f7d31e5f2d65795752508e6c1b63a1150a49a073d3adea57e72fb5cd9
SSDEEP

6144:AuBQ3fWB3qOyuBGrl3/8xhKqwX7oAGdb+bDt6GbkLgHp7Lm:AuielqAB0P5qMGmDtzALcp7

Score

10^/10

remcos zgrat remotehost agilenet rat

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

C2

185.84.181.89:3363

185.84.181.89:3362

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-MRGC3E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1056-3-0x00000000055D0000-0x00000000055F8000-memory.dmp	family_zgrat_v1

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/1056-3-0x00000000055D0000-0x00000000055F8000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe

description	pid	process	target process
PID 1056 set thread context of 5056	1056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1056 17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe

pid process

5056 17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe

pid	process
5056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe

description	pid	process	target process
PID 1056 wrote to memory of 5056	1056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
PID 1056 wrote to memory of 5056	1056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
PID 1056 wrote to memory of 5056	1056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
PID 1056 wrote to memory of 5056	1056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
PID 1056 wrote to memory of 5056	1056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
PID 1056 wrote to memory of 5056	1056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
PID 1056 wrote to memory of 5056	1056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
PID 1056 wrote to memory of 5056	1056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
PID 1056 wrote to memory of 5056	1056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
PID 5056 wrote to memory of 1452	5056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	svchost.exe
PID 5056 wrote to memory of 1452	5056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	svchost.exe
PID 5056 wrote to memory of 1452	5056	17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17aabf6d007520c94f8df8196c8066b6_JaffaCakes118.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
79B

MD5
b360fe7fec3c12d12ac4bdb6a9087d65

SHA1
31cfb1942ed6d00480179bdc2c23b97a5f453ff6

SHA256
2e23381e6d4881afa5a3260407ce150dc98bb90ed4c28e2b1953c54d79638065

SHA512
1062bd3acd3b89ceba3b0750c0cdb43af343f4c8c374993dc290920c74476c78c6b1df766c00b24fe114f3f4417a04fd72c764f3e4378113c12d5c4e569bf6f5

Download Submit
memory/1056-8-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/1056-5-0x0000000007FF0000-0x0000000008594000-memory.dmp

Filesize
5.6MB

Download
memory/1056-9-0x0000000007BC0000-0x0000000007C5C000-memory.dmp

Filesize
624KB

Download
memory/1056-4-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/1056-1-0x0000000000B00000-0x0000000000B52000-memory.dmp

Filesize
328KB

Download
memory/1056-6-0x0000000007B20000-0x0000000007BB2000-memory.dmp

Filesize
584KB

Download
memory/1056-7-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

Filesize
4KB

Download
memory/1056-20-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/1056-3-0x00000000055D0000-0x00000000055F8000-memory.dmp

Filesize
160KB

Download
memory/1056-2-0x0000000005550000-0x00000000055C6000-memory.dmp

Filesize
472KB

Download
memory/1056-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

Filesize
4KB

Download
memory/5056-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5056-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5056-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5056-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5056-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5056-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads