remcos | f657473052da6d9435ef7604646a7d027b1252ae6860a4a3bab7e791c5e41913

General

Target

2af952280c0ec3723136cfdf195a0e4f.exe
Size

831KB
MD5

2af952280c0ec3723136cfdf195a0e4f
SHA1

215ef3b73bc9221a84959681895f2dac9e18dad8
SHA256

f657473052da6d9435ef7604646a7d027b1252ae6860a4a3bab7e791c5e41913
SHA512

ae9becd575721846649a7323c35938ccf13489e338413113e26d8336b6da6eaa2d26f911ff18d8a47addd43381b187423d4dbc66b4d3a010290d8840f650ef9d

Score

10^/10

remcos sys32 rat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

Sys32

C2

135.181.140.182:4783

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Logs
keylog_path
%AppData%
mouse_option
false
mutex
SYS32-S57R8C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

2af952280c0ec3723136cfdf195a0e4f.exe

description pid process target process

PID 4688 set thread context of 4148 4688 2af952280c0ec3723136cfdf195a0e4f.exe 2af952280c0ec3723136cfdf195a0e4f.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

736 4688 WerFault.exe 2af952280c0ec3723136cfdf195a0e4f.exe

description	pid	process	target process
PID 4688 set thread context of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe

pid	pid_target	process	target process
736	4688	WerFault.exe	2af952280c0ec3723136cfdf195a0e4f.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2af952280c0ec3723136cfdf195a0e4f.exe

pid process

4148 2af952280c0ec3723136cfdf195a0e4f.exe

pid	process
4148	2af952280c0ec3723136cfdf195a0e4f.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2af952280c0ec3723136cfdf195a0e4f.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4688	2af952280c0ec3723136cfdf195a0e4f.exe
Token: SeRestorePrivilege	736	WerFault.exe
Token: SeBackupPrivilege	736	WerFault.exe
Token: SeDebugPrivilege	736	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2af952280c0ec3723136cfdf195a0e4f.exe

pid process

4148 2af952280c0ec3723136cfdf195a0e4f.exe

pid	process
4148	2af952280c0ec3723136cfdf195a0e4f.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2af952280c0ec3723136cfdf195a0e4f.exe

C:\Users\Admin\AppData\Local\Temp\2af952280c0ec3723136cfdf195a0e4f.exe
"C:\Users\Admin\AppData\Local\Temp\2af952280c0ec3723136cfdf195a0e4f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Temp\2af952280c0ec3723136cfdf195a0e4f.exe
"C:\Users\Admin\AppData\Local\Temp\2af952280c0ec3723136cfdf195a0e4f.exe"
2⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\2af952280c0ec3723136cfdf195a0e4f.exe
"C:\Users\Admin\AppData\Local\Temp\2af952280c0ec3723136cfdf195a0e4f.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1396
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4148-126-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4148-129-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4148-127-0x000000000042F76C-mapping.dmp

Download
memory/4688-120-0x0000000004F70000-0x000000000546E000-memory.dmp

Filesize
5.0MB

Download
memory/4688-119-0x0000000004F70000-0x000000000546E000-memory.dmp

Filesize
5.0MB

Download
memory/4688-121-0x0000000004F70000-0x000000000546E000-memory.dmp

Filesize
5.0MB

Download
memory/4688-115-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4688-122-0x0000000004F70000-0x000000000546E000-memory.dmp

Filesize
5.0MB

Download
memory/4688-123-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/4688-124-0x0000000000CD0000-0x0000000000D25000-memory.dmp

Filesize
340KB

Download
memory/4688-125-0x00000000007F0000-0x00000000007F3000-memory.dmp

Filesize
12KB

Download
memory/4688-118-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4688-117-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/4688-116-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 4688 wrote to memory of 4156	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4156	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4156	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe
PID 4688 wrote to memory of 4148	4688	2af952280c0ec3723136cfdf195a0e4f.exe	2af952280c0ec3723136cfdf195a0e4f.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads