remcos | da518c888f3041f6b13de0f7c54ac9429efa87a8c78fd426f81bd45d8dc66d8e

General

Target

e30b26ce154af3e9e743c557dfe49071.exe
Size

832KB
MD5

e30b26ce154af3e9e743c557dfe49071
SHA1

d38122696b55c3121e9d58d8cbdd2b3400dba610
SHA256

da518c888f3041f6b13de0f7c54ac9429efa87a8c78fd426f81bd45d8dc66d8e
SHA512

be977eb665ffdcc468776e4c28983cded2390d29c8bf0c4f1db1744754caeeff08d4ec52712d71d306e8ac28df74e3c5e70232d1909556609ee6c427bc3758e4

Score

10^/10

remcos sys32 rat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

Sys32

C2

135.181.140.182:4783

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Logs
keylog_path
%AppData%
mouse_option
false
mutex
SYS32-S57R8C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

e30b26ce154af3e9e743c557dfe49071.exe

description pid process target process

PID 3976 set thread context of 2864 3976 e30b26ce154af3e9e743c557dfe49071.exe e30b26ce154af3e9e743c557dfe49071.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2888 3976 WerFault.exe e30b26ce154af3e9e743c557dfe49071.exe

description	pid	process	target process
PID 3976 set thread context of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe

pid	pid_target	process	target process
2888	3976	WerFault.exe	e30b26ce154af3e9e743c557dfe49071.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e30b26ce154af3e9e743c557dfe49071.exe

pid process

2864 e30b26ce154af3e9e743c557dfe49071.exe

pid	process
2864	e30b26ce154af3e9e743c557dfe49071.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e30b26ce154af3e9e743c557dfe49071.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3976	e30b26ce154af3e9e743c557dfe49071.exe
Token: SeRestorePrivilege	2888	WerFault.exe
Token: SeBackupPrivilege	2888	WerFault.exe
Token: SeDebugPrivilege	2888	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e30b26ce154af3e9e743c557dfe49071.exe

pid process

2864 e30b26ce154af3e9e743c557dfe49071.exe

pid	process
2864	e30b26ce154af3e9e743c557dfe49071.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e30b26ce154af3e9e743c557dfe49071.exe

description	pid	process	target process
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe
PID 3976 wrote to memory of 2864	3976	e30b26ce154af3e9e743c557dfe49071.exe	e30b26ce154af3e9e743c557dfe49071.exe

C:\Users\Admin\AppData\Local\Temp\e30b26ce154af3e9e743c557dfe49071.exe
"C:\Users\Admin\AppData\Local\Temp\e30b26ce154af3e9e743c557dfe49071.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\Temp\e30b26ce154af3e9e743c557dfe49071.exe
"C:\Users\Admin\AppData\Local\Temp\e30b26ce154af3e9e743c557dfe49071.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1588
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2864-126-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2864-129-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2864-127-0x000000000042F76C-mapping.dmp

Download
memory/3976-122-0x00000000054F0000-0x00000000059EE000-memory.dmp

Filesize
5.0MB

Download
memory/3976-119-0x00000000054F0000-0x00000000059EE000-memory.dmp

Filesize
5.0MB

Download
memory/3976-120-0x00000000054F0000-0x00000000059EE000-memory.dmp

Filesize
5.0MB

Download
memory/3976-115-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3976-121-0x00000000054F0000-0x00000000059EE000-memory.dmp

Filesize
5.0MB

Download
memory/3976-123-0x0000000009C70000-0x0000000009C71000-memory.dmp

Filesize
4KB

Download
memory/3976-124-0x0000000009BB0000-0x0000000009C05000-memory.dmp

Filesize
340KB

Download
memory/3976-125-0x0000000009C20000-0x0000000009C23000-memory.dmp

Filesize
12KB

Download
memory/3976-118-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/3976-117-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/3976-116-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads