remcos | 1076-66-0x0000000000400000-0x0000000000488000-memory[.]dmp | Triage

Sharing

Copy URL Twitter E-mail

General

Target

1076-66-0x0000000000400000-0x0000000000488000-memory.dmp
Size

544KB
MD5

b6eca1b9586da3c36a544f629bc6a3e7
SHA1

379acef59b56ef3e50e43cd0c95b4c8e022fceb6
SHA256

667ac9100de3e4726267a91b435fc48537d77bd5d8710c782408f8afd897f30e
SHA512

aeb84bc89af52b408964b5f7645ba1db856bc2fd966e3324998a45f3cca697408d0381893a2bdba8e56280146be6602fbf26a62ad9200028a1f611da71606535
SSDEEP

6144:xAg4RVDZlHx5k7iLZnaSguI2IiRL/SISjw8nHWyR2K3g9ZsAOZZQmXmjjg:xmnk7iLJbpIpiRL6I2W3KQ9ZsfZQ

Score

10^/10

upx remotehoststar remcos

Malware Config

Extracted

Family

remcos

Botnet

RemoteHostStar

C2

41.216.183.226:41900

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0OUDX5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos family
remcos

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
sample	upx

Files

1076-66-0x0000000000400000-0x0000000000488000-memory.dmp
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 308KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

UPX1
Size: 208KB - Virtual size: 212KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 18KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE