remcos | 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8

General

Target

3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe
Size

1.0MB
MD5

5e6d13bdc554cba4e186e5751fa8aec6
SHA1

7d825bb744de912c78bbf61122fd98fae5424ace
SHA256

3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8
SHA512

8014c0d995eba62eef2cea14b37e44ccc5feaef8797e063ffc11b235fd93b86c56df223f13fe4a18165caae36294e0d65c4cf652b9b54aac983f66f490ab3e87

Score

10^/10

remcos remotehost persistence rat upx

Malware Config

Extracted

Family

remcos

Version

3.3.2 Light

Botnet

RemoteHost

C2

91.243.44.75:1703

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-W5VMG1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

Sento.exe.comSento.exe.comSento.exe.com

pid process

4008 Sento.exe.com
856 Sento.exe.com
1092 Sento.exe.com

pid	process
4008	Sento.exe.com
856	Sento.exe.com
1092	Sento.exe.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1092-128-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/1092-131-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/1092-132-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Sento.exe.com

description pid process target process

PID 856 set thread context of 1092 856 Sento.exe.com Sento.exe.com
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4052 PING.EXE
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Sento.exe.comSento.exe.com

pid process

4008 Sento.exe.com
4008 Sento.exe.com
4008 Sento.exe.com
856 Sento.exe.com
856 Sento.exe.com
856 Sento.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Sento.exe.comSento.exe.com

pid process

4008 Sento.exe.com
4008 Sento.exe.com
4008 Sento.exe.com
856 Sento.exe.com
856 Sento.exe.com
856 Sento.exe.com

description	pid	process	target process
PID 856 set thread context of 1092	856	Sento.exe.com	Sento.exe.com

pid	process
4052	PING.EXE

pid	process
4008	Sento.exe.com
4008	Sento.exe.com
4008	Sento.exe.com
856	Sento.exe.com
856	Sento.exe.com
856	Sento.exe.com

pid	process
4008	Sento.exe.com
4008	Sento.exe.com
4008	Sento.exe.com
856	Sento.exe.com
856	Sento.exe.com
856	Sento.exe.com

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.execmd.execmd.exeSento.exe.comSento.exe.com

description	pid	process	target process
PID 2724 wrote to memory of 2328	2724	3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe	rundll32.exe
PID 2724 wrote to memory of 2328	2724	3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe	rundll32.exe
PID 2724 wrote to memory of 2328	2724	3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe	rundll32.exe
PID 2724 wrote to memory of 2856	2724	3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe	cmd.exe
PID 2724 wrote to memory of 2856	2724	3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe	cmd.exe
PID 2724 wrote to memory of 2856	2724	3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe	cmd.exe
PID 2856 wrote to memory of 2256	2856	cmd.exe	cmd.exe
PID 2856 wrote to memory of 2256	2856	cmd.exe	cmd.exe
PID 2856 wrote to memory of 2256	2856	cmd.exe	cmd.exe
PID 2256 wrote to memory of 1536	2256	cmd.exe	findstr.exe
PID 2256 wrote to memory of 1536	2256	cmd.exe	findstr.exe
PID 2256 wrote to memory of 1536	2256	cmd.exe	findstr.exe
PID 2256 wrote to memory of 4008	2256	cmd.exe	Sento.exe.com
PID 2256 wrote to memory of 4008	2256	cmd.exe	Sento.exe.com
PID 2256 wrote to memory of 4008	2256	cmd.exe	Sento.exe.com
PID 2256 wrote to memory of 4052	2256	cmd.exe	PING.EXE
PID 2256 wrote to memory of 4052	2256	cmd.exe	PING.EXE
PID 2256 wrote to memory of 4052	2256	cmd.exe	PING.EXE
PID 4008 wrote to memory of 856	4008	Sento.exe.com	Sento.exe.com
PID 4008 wrote to memory of 856	4008	Sento.exe.com	Sento.exe.com
PID 4008 wrote to memory of 856	4008	Sento.exe.com	Sento.exe.com
PID 856 wrote to memory of 1092	856	Sento.exe.com	Sento.exe.com
PID 856 wrote to memory of 1092	856	Sento.exe.com	Sento.exe.com
PID 856 wrote to memory of 1092	856	Sento.exe.com	Sento.exe.com
PID 856 wrote to memory of 1092	856	Sento.exe.com	Sento.exe.com
PID 856 wrote to memory of 1092	856	Sento.exe.com	Sento.exe.com

C:\Users\Admin\AppData\Local\Temp\3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe
"C:\Users\Admin\AppData\Local\Temp\3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\rundll32.exe
rundll32
2⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Alzata.wmv
2⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^jKnxbCNjZAMaeHfxSCDabwINSZBwDVebdLnYwlYMoSNQqSzOBrbOtgKkeLBnwLJrbgwdpsaIDRpFhRNqFMAmngzeqjW$" Giudichera.wmv
4⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.com
Sento.exe.com L
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.com L
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.com
6⤵
- Executes dropped EXE
PID:1092

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
4⤵
- Runs ping.exe
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Alzata.wmv
MD5
9ef65ef6b665024d5c6ede2da4676625

SHA1
0f7b27e87e4aa16528184c47a50945f6e73ce30e

SHA256
e14ebb1b371057dd46b8d1ec815e3ed216f29731773eedd271f8534b3fcdc19e

SHA512
48c52f14d62ff720adef0943ef9e9250456e59d5ca76815fc6b60f0cdfe7248095dc6005a055a41471bcda8d8fccc544e81188b35046b847c05e35e2c341bbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Giudichera.wmv
MD5
72eb17261d022e6d9f713e8ad1960b4b

SHA1
d920146226e7818c151f2f0b34b7c1af50ba1c06

SHA256
a5bc8c641d0c8c8a59d36f308ee77d9d08b18cf50c52efe0500c2e0a17289082

SHA512
82478f1c1a35a0b97516784855b7f11788f4aea6fb2be3c4c59937fc487b3022338182d962c1335b20d12a3933cf2794c75d663fd022a07d4a61eed3b1d7ab5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\L
MD5
2230c81075c9b0fc32046c3a5b491c12

SHA1
915c0ed60bd52758f896da416d26ba817f88899b

SHA256
495011f71a52dbbf3819ce6693f1bea00513208db38d70471e30eb0d3714de73

SHA512
440f68735e20a53b40a2b2ff43328f0975cd09c4ffd274bb0ee9b6ee4d80d35e8642bcaa3cee5bed813137134c4d8c2d4670142bd77e4dc3c38af6f6fca16829

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mia.wmv
MD5
2230c81075c9b0fc32046c3a5b491c12

SHA1
915c0ed60bd52758f896da416d26ba817f88899b

SHA256
495011f71a52dbbf3819ce6693f1bea00513208db38d70471e30eb0d3714de73

SHA512
440f68735e20a53b40a2b2ff43328f0975cd09c4ffd274bb0ee9b6ee4d80d35e8642bcaa3cee5bed813137134c4d8c2d4670142bd77e4dc3c38af6f6fca16829

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.com
MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.com
MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.com
MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.com
MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
memory/1092-128-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1092-131-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1092-132-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads