remcos | 72a13a9e54e095c5878be67503dd808a7332cb631c4c615d65d69e2de47b080f

General

Target

44fcb60fa4a1d0535b891a0d7f603975.exe
Size

917KB
MD5

44fcb60fa4a1d0535b891a0d7f603975
SHA1

d526556c835337c2ca87c00d3ce3e430751bb3e2
SHA256

72a13a9e54e095c5878be67503dd808a7332cb631c4c615d65d69e2de47b080f
SHA512

537679df43c2924a7d409a527c929cab061e97b135f94110957ce4cb4193efc79b8d9962a8e56969a822534a161755c4cb99bb1caaf5804fe55f849716b414bb

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

RemoteHost

C2

freelife.hopto.org:2404

freelife1.hopto.org:2404

freelife2.hopto.org:2404

freelife01.hopto.org:2404

freelife3.hopto.org:2404

freelife4.hopto.org:2404

freelife5.hopto.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
pastananiceforwhat-QQD2AI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

15 2680 mshta.exe

flow	pid	process
15	2680	mshta.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

44fcb60fa4a1d0535b891a0d7f603975.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uhexymko = "C:\\Users\\Public\\Libraries\\okmyxehU.url"	44fcb60fa4a1d0535b891a0d7f603975.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

44fcb60fa4a1d0535b891a0d7f603975.exe

description	pid	process	target process
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe
PID 4008 wrote to memory of 2680	4008	44fcb60fa4a1d0535b891a0d7f603975.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\44fcb60fa4a1d0535b891a0d7f603975.exe
"C:\Users\Admin\AppData\Local\Temp\44fcb60fa4a1d0535b891a0d7f603975.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\mshta.exe
C:\Windows\System32\mshta.exe
2⤵
- Blocklisted process makes network request
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2680-120-0x0000000000000000-mapping.dmp

Download
memory/2680-122-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2680-121-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2680-124-0x0000000010590000-0x000000001060C000-memory.dmp

Filesize
496KB

Download
memory/2680-123-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2680-125-0x0000000000550000-0x00000000005C9000-memory.dmp

Filesize
484KB

Download
memory/4008-119-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing