remcos | 1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf

General

Target

1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
Size

831KB
MD5

702502d248a49746461f351455ba910f
SHA1

0d380acae122897754a815d2fbf039a1832d5606
SHA256

1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf
SHA512

6dbfb587d2936d853b93b0be99a6fc576908bea44a4bc0f73699189491294348597150e273d87c3ad7022d850bb2818e77d763ab34a6bbd36f42da0bed377460

Score

10^/10

remcos sys32 rat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

Sys32

C2

135.181.140.182:4783

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Logs
keylog_path
%AppData%
mouse_option
false
mutex
SYS32-S57R8C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

Processes:

1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

description	pid	process	target process
PID 856 set thread context of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2144 856 WerFault.exe 1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

pid	pid_target	process	target process
2144	856	WerFault.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

pid process

2220 1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

pid	process
2220	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
Token: SeRestorePrivilege	2144	WerFault.exe
Token: SeBackupPrivilege	2144	WerFault.exe
Token: SeDebugPrivilege	2144	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

pid process

2220 1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

pid	process
2220	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

description	pid	process	target process
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
PID 856 wrote to memory of 2220	856	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe	1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe

C:\Users\Admin\AppData\Local\Temp\1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1270a5137d1c53725e34eac069b91436aef17863ec1102cc261cf214133444cf.bin.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1592
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-114-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/856-115-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/856-116-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/856-117-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/856-118-0x00000000050B0000-0x00000000055AE000-memory.dmp

Filesize
5.0MB

Download
memory/856-119-0x00000000050B0000-0x00000000055AE000-memory.dmp

Filesize
5.0MB

Download
memory/856-120-0x00000000050B0000-0x00000000055AE000-memory.dmp

Filesize
5.0MB

Download
memory/856-121-0x00000000050B0000-0x00000000055AE000-memory.dmp

Filesize
5.0MB

Download
memory/856-122-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/856-123-0x0000000006CB0000-0x0000000006D05000-memory.dmp

Filesize
340KB

Download
memory/856-124-0x0000000006D20000-0x0000000006D23000-memory.dmp

Filesize
12KB

Download
memory/2220-125-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2220-126-0x000000000042F76C-mapping.dmp

Download
memory/2220-128-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads