Overview

overview

10

Static

static

9ca31c0977...b5.exe

windows7_x64

6

9ca31c0977...b5.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15-09-2021 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ca31c0977758f77bebfd4b77d0aafb5.exe

  • Size

    917KB

  • MD5

    9ca31c0977758f77bebfd4b77d0aafb5

  • SHA1

    8952680a883dcd8941b903ffdb2cc783f370967f

  • SHA256

    02d8b132efe46479349be92ee105032ffb4f6451b9439b68df46f3049844db81

  • SHA512

    750f8252dbba3adee099adf6c3035e4d08f31f15fac638f52c3bb188b66697ca7c0b2a359c2ce0e92718c8b0224ec1b4cf075daa23627ebd6491859f0152353f

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

RemoteHost

C2

freelife.hopto.org:2404

freelife1.hopto.org:2404

freelife2.hopto.org:2404

freelife01.hopto.org:2404

freelife3.hopto.org:2404

freelife4.hopto.org:2404

freelife5.hopto.org:2404
Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    pastananiceforwhat-QQD2AI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ca31c0977758f77bebfd4b77d0aafb5.exe
    "C:\Users\Admin\AppData\Local\Temp\9ca31c0977758f77bebfd4b77d0aafb5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Windows\SysWOW64\dialer.exe
      C:\Windows\System32\dialer.exe
      2⤵
        PID:4908

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4796-118-0x00000000005B0000-0x00000000006FA000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/4908-119-0x0000000000000000-mapping.dmp
      Download
    • memory/4908-121-0x0000000000800000-0x0000000000801000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4908-120-0x0000000000540000-0x0000000000541000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4908-123-0x0000000010590000-0x000000001060C000-memory.dmp
      Filesize

      496KB

      Download
    • memory/4908-124-0x0000000000810000-0x0000000000889000-memory.dmp
      Filesize

      484KB

      Download
    • memory/4908-122-0x00000000005A0000-0x00000000005A1000-memory.dmp
      Filesize

      4KB

      Download