remcos | d4bee566c89c0e8c89f0539d2d49279f844317c54ee3216c049f038b773de8dc

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-09-2022 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INQUIRY 3937489.exe
Size

1.1MB
MD5

637d6c0ed25f4c0cdb346448d337be6c
SHA1

fac78a61ed68ac9d0e1b107814bb56c2828da596
SHA256

d4bee566c89c0e8c89f0539d2d49279f844317c54ee3216c049f038b773de8dc
SHA512

4a10bd5dc2ff83b6294a417b4d457b544ff24c28c7c7034245fc6360d5e680ffd9947be70827dbb67cc786999c23ab5ce0e15dcd8a5e2fd83d539fb12449db43
SSDEEP

12288:Wv1HM7T0I9bgER7BDkw7oPVrL8YIIA0WvJnorEzXOYNJe9OYhUOtLA/0U9q465yp:OMf0ItxRlIPPVrL8sAzxOYOkObU9qmo

Score

10^/10

remcos new rem stub rat

Malware Config

Extracted

Family

remcos

Botnet

NEW REM STUB

valvesco.duckdns.org:5050

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-48V73L
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

INQUIRY 3937489.exe

description pid process target process

PID 536 set thread context of 1784 536 INQUIRY 3937489.exe INQUIRY 3937489.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

INQUIRY 3937489.exe

pid process

536 INQUIRY 3937489.exe
536 INQUIRY 3937489.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

INQUIRY 3937489.exe

description pid process

Token: SeDebugPrivilege 536 INQUIRY 3937489.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

INQUIRY 3937489.exe

pid process

1784 INQUIRY 3937489.exe

description	pid	process	target process
PID 536 set thread context of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe

pid	process
536	INQUIRY 3937489.exe
536	INQUIRY 3937489.exe

description	pid	process
Token: SeDebugPrivilege	536	INQUIRY 3937489.exe

pid	process
1784	INQUIRY 3937489.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

INQUIRY 3937489.exe

description	pid	process	target process
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe
PID 536 wrote to memory of 1784	536	INQUIRY 3937489.exe	INQUIRY 3937489.exe

C:\Users\Admin\AppData\Local\Temp\INQUIRY 3937489.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY 3937489.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\INQUIRY 3937489.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY 3937489.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-54-0x0000000000930000-0x0000000000A42000-memory.dmp

Filesize
1.1MB

Download
memory/536-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/536-56-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/536-57-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/536-58-0x00000000057A0000-0x0000000005872000-memory.dmp

Filesize
840KB

Download
memory/536-59-0x0000000004F60000-0x0000000004FDC000-memory.dmp

Filesize
496KB

Download
memory/1784-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1784-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1784-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1784-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1784-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1784-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1784-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1784-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1784-73-0x00000000004327A4-mapping.dmp

Download
memory/1784-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1784-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1784-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1784-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download