remcos | d47915645f8fa712a296ae6435bac9f09508e26a0fae53956d15f628dab2b027

Analysis

max time kernel
160s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2023, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

plugmanzx.exe
Size

670KB
MD5

15d5e74616081c059d0107dbbbf5982c
SHA1

ec404a317e96007cdd3367c514ebf6a06304cc8e
SHA256

d47915645f8fa712a296ae6435bac9f09508e26a0fae53956d15f628dab2b027
SHA512

490e2d18079104a3d5708c620a9e884efc53da977fd8e6d98658e2e91e81c843705a71c5ffe31144d5102ddccedb1330959a24143337356b8e238d9dd581b6b8
SSDEEP

12288:OYayxXfQbqIh8mQ9MgcUu6C39qVeQ4Wpn2tdQkk+N31y:OYnAqI6m0pcICqVD4Wp2tRk+Nly

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

favgrandson7.sytes.net:1993

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HFW64Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
932	oaipgeihe.exe
4836	oaipgeihe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 932 set thread context of 4836	932	oaipgeihe.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
932	oaipgeihe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4836	oaipgeihe.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 932	3048	plugmanzx.exe	79
PID 3048 wrote to memory of 932	3048	plugmanzx.exe	79
PID 3048 wrote to memory of 932	3048	plugmanzx.exe	79
PID 932 wrote to memory of 4836	932	oaipgeihe.exe	80
PID 932 wrote to memory of 4836	932	oaipgeihe.exe	80
PID 932 wrote to memory of 4836	932	oaipgeihe.exe	80
PID 932 wrote to memory of 4836	932	oaipgeihe.exe	80

C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe
"C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe
  "C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe" C:\Users\Admin\AppData\Local\Temp\izexbgkxgg.sxl
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe
    "C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hcdzspw.bz

Filesize
491KB

MD5
5c0c79b8035df3dbe438ba61f65c935e

SHA1
6b9f5ca4b392ac4d19a5acd0e25489b2be5a6a74

SHA256
ffbded11cc7890ca112c6580bf0b54a8dace2db9878f4f6ec99ed1d322a67d8a

SHA512
618625e27728408a4975a9293f20f842e90dffff658acd6c1e4780092c3cea2253b5fe9efbac156dcc7741de0fc512a431b051a6fb95439c788e20390445753d

Download Submit
C:\Users\Admin\AppData\Local\Temp\izexbgkxgg.sxl

Filesize
5KB

MD5
425432a41c7ba3453c1aafe8e703c548

SHA1
4cb0a75d80680302afc5d3c2808d8d1c5d1bd017

SHA256
8e3878f57c3cc0c0036c985e6095c7fe12ee75fb4aa26aae4fc1fa5aaa23ce11

SHA512
52f2aed62ffa47aaac2bdb579e7c356f56c73405eefbc62475a1ed0bebb018e302c6e38229d0fd1946a6b1079175406b0c29aad7e064e42c3b741d31883855a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe

Filesize
84KB

MD5
63c8bcf600622e14c7f79032c20b604b

SHA1
c5f189b785b1c4e8fd3602b8b223b8ae1fd6047b

SHA256
37b82ceb5601cfe987e7490f205c72266640da0abf6ed4ebcafa92c1a8b4019e

SHA512
d24df5ded2f8a0eb05603dfcf2f4cb202353fec01e01639bf3911784a174f5d59c43af6027e2ba25cf337324e119e00421d75130f1301dd3c253b04d62f25f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe

Filesize
84KB

MD5
63c8bcf600622e14c7f79032c20b604b

SHA1
c5f189b785b1c4e8fd3602b8b223b8ae1fd6047b

SHA256
37b82ceb5601cfe987e7490f205c72266640da0abf6ed4ebcafa92c1a8b4019e

SHA512
d24df5ded2f8a0eb05603dfcf2f4cb202353fec01e01639bf3911784a174f5d59c43af6027e2ba25cf337324e119e00421d75130f1301dd3c253b04d62f25f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe

Filesize
84KB

MD5
63c8bcf600622e14c7f79032c20b604b

SHA1
c5f189b785b1c4e8fd3602b8b223b8ae1fd6047b

SHA256
37b82ceb5601cfe987e7490f205c72266640da0abf6ed4ebcafa92c1a8b4019e

SHA512
d24df5ded2f8a0eb05603dfcf2f4cb202353fec01e01639bf3911784a174f5d59c43af6027e2ba25cf337324e119e00421d75130f1301dd3c253b04d62f25f2c

Download Submit
memory/4836-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4836-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download