remcos | 5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4

General

Target

5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
Size

300.0MB
MD5

e4511dbd38b06be47f59500d5e2d8df3
SHA1

17f739c5c189d5ab042e8c9acf85f76fe94f719c
SHA256

5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4
SHA512

e7e9e1b07470e40e53bf6fde2cc4dbd4914ffed5170ae7024fabc980e05ab9bf343a72811ab9b8b35275c6a898a369a2a06103bd995bfc29cf314367550c9b9d
SSDEEP

12288:81/TNU8vQHjdMMEDeoeeP1jDdxKwtMHFKmoP:aqjdMMEQeP17l

Score

10^/10

remcos manup rat

Malware Config

Extracted

Family

remcos

Botnet

manup

C2

91.193.75.188:60005

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
universalupdaetfeeds.exe
copy_folder
universalupdaetfeeds
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
universalupdaetfeeds
keylog_path
%AppData%
mouse_option
false
mutex
universalupdaetfeeds-13BJX3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
universalupdaetfeeds
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

Processes:

5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe

description	pid	process	target process
PID 892 set thread context of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe

pid process

392 5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe

pid	process
392	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe

description	pid	process	target process
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
PID 892 wrote to memory of 392	892	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe	5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe

C:\Users\Admin\AppData\Local\Temp\5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
"C:\Users\Admin\AppData\Local\Temp\5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
"C:\Users\Admin\AppData\Local\Temp\5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/392-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/392-56-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/392-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/392-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/392-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/392-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/392-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/392-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/392-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/392-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/392-69-0x00000000004327A4-mapping.dmp

Download
memory/392-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/892-54-0x00000000012C0000-0x0000000001352000-memory.dmp

Filesize
584KB

Download
memory/892-55-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing