remcos | 1232-67-0x0000000000400000-0x0000000000488000-memory[.]dmp | Triage

Sharing

General

Target

1232-67-0x0000000000400000-0x0000000000488000-memory.dmp
Size

544KB
MD5

2409221ec1bd1980965f56d1dc0be667
SHA1

714af6bc8c35fcba3a8800395bd6be7320752269
SHA256

68524c929875e30fb8d68fbd38ad48d6adb6895ce3cbf183d0ff29281d82eaa4
SHA512

9401087716bec2451a23604ff395656243d565436d202c256ae9d5c4eca77c7f5ebd9f7001addb165e1ceb030631f76a14af72fe927a86d3701a8c3a2d4a3a30
SSDEEP

6144:xAg4RVDZlHx5k7iLZnaSguI2IiRL/SISjw8nHW4EkR2K3g9ZsAOZZQmXsg7jg:xmnk7iLJbpIpiRL6I2W4EtKQ9ZsfZQc

Score

10^/10

upx remotehoststar remcos

Malware Config

Extracted

Family

remcos

Botnet

RemoteHostStar

C2

41.216.183.226:41900

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0OUDX5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos family
remcos

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
sample	upx

Files

1232-67-0x0000000000400000-0x0000000000488000-memory.dmp
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 308KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

UPX1
Size: 208KB - Virtual size: 212KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 18KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE