remcos | e3ae3157428659c73519c6eceb3066f5b0261e006d574b039c15c6b54abbea1a

Analysis

max time kernel
152s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2023 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

slpr.exe
Size

300.0MB
MD5

5c94b9f981e63a440a7a40971a9c2d36
SHA1

0df6bc0f2f497bb0cd935fb00433bead94f6d28b
SHA256

e3ae3157428659c73519c6eceb3066f5b0261e006d574b039c15c6b54abbea1a
SHA512

40f3eb162834b819b583dcced66646763c18cf8b92d14ca8b6a1ec0ea020e14e2076da69cf3637bee7ed6b62e342106bd8846a121ee49d1f47735b3560c63d5d
SSDEEP

12288:Yog+f66nQlAI0FBX+OeKUPrrQ84BPBRMTSUfXJuSMZdnh0TBnms:YX+yyQlh0FOzrF7T3vJUTnh0TF

Score

10^/10

remcos casamami rat

Malware Config

Extracted

Family

remcos

Botnet

CASAMAMI

casamami.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2JJVDI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
3468	slpr.exe
3420	slpr.exe
2896	slpr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 2184	4760	slpr.exe	82
PID 3468 set thread context of 4836	3468	slpr.exe	97
PID 3420 set thread context of 1172	3420	slpr.exe	107
PID 2896 set thread context of 5092	2896	slpr.exe	119

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3432	1172	WerFault.exe	107

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4104	schtasks.exe
2940	schtasks.exe
4420	schtasks.exe
4428	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2184	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 2184	4760	slpr.exe	82
PID 4760 wrote to memory of 4304	4760	slpr.exe	83
PID 4760 wrote to memory of 4304	4760	slpr.exe	83
PID 4760 wrote to memory of 4304	4760	slpr.exe	83
PID 4760 wrote to memory of 212	4760	slpr.exe	87
PID 4760 wrote to memory of 212	4760	slpr.exe	87
PID 4760 wrote to memory of 212	4760	slpr.exe	87
PID 4760 wrote to memory of 220	4760	slpr.exe	85
PID 4760 wrote to memory of 220	4760	slpr.exe	85
PID 4760 wrote to memory of 220	4760	slpr.exe	85
PID 212 wrote to memory of 4104	212	cmd.exe	89
PID 212 wrote to memory of 4104	212	cmd.exe	89
PID 212 wrote to memory of 4104	212	cmd.exe	89
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 4836	3468	slpr.exe	97
PID 3468 wrote to memory of 3712	3468	slpr.exe	103
PID 3468 wrote to memory of 3712	3468	slpr.exe	103
PID 3468 wrote to memory of 3712	3468	slpr.exe	103
PID 3468 wrote to memory of 1728	3468	slpr.exe	102
PID 3468 wrote to memory of 1728	3468	slpr.exe	102
PID 3468 wrote to memory of 1728	3468	slpr.exe	102
PID 3468 wrote to memory of 3720	3468	slpr.exe	98
PID 3468 wrote to memory of 3720	3468	slpr.exe	98
PID 3468 wrote to memory of 3720	3468	slpr.exe	98
PID 1728 wrote to memory of 2940	1728	cmd.exe	104
PID 1728 wrote to memory of 2940	1728	cmd.exe	104
PID 1728 wrote to memory of 2940	1728	cmd.exe	104
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1172	3420	slpr.exe	107
PID 3420 wrote to memory of 1668	3420	slpr.exe	108
PID 3420 wrote to memory of 1668	3420	slpr.exe	108
PID 3420 wrote to memory of 1668	3420	slpr.exe	108
PID 3420 wrote to memory of 3248	3420	slpr.exe	109

C:\Users\Admin\AppData\Local\Temp\slpr.exe
"C:\Users\Admin\AppData\Local\Temp\slpr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2184
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\slpr"
  2⤵
  PID:4304
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\slpr.exe" "C:\Users\Admin\AppData\Roaming\slpr\slpr.exe"
  2⤵
  PID:220
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\slpr\slpr.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\slpr\slpr.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4104

C:\Users\Admin\AppData\Roaming\slpr\slpr.exe
C:\Users\Admin\AppData\Roaming\slpr\slpr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\slpr\slpr.exe" "C:\Users\Admin\AppData\Roaming\slpr\slpr.exe"
  2⤵
  PID:3720
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\slpr\slpr.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\slpr\slpr.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\slpr"
  2⤵
  PID:3712

C:\Users\Admin\AppData\Roaming\slpr\slpr.exe
C:\Users\Admin\AppData\Roaming\slpr\slpr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 512
    3⤵
    - Program crash
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\slpr"
  2⤵
  PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\slpr\slpr.exe'" /f
  2⤵
  PID:3248
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\slpr\slpr.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4420
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\slpr\slpr.exe" "C:\Users\Admin\AppData\Roaming\slpr\slpr.exe"
  2⤵
  PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1172 -ip 1172
1⤵
PID:3260

C:\Users\Admin\AppData\Roaming\slpr\slpr.exe
C:\Users\Admin\AppData\Roaming\slpr\slpr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:5092
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\slpr"
  2⤵
  PID:4024
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\slpr\slpr.exe" "C:\Users\Admin\AppData\Roaming\slpr\slpr.exe"
  2⤵
  PID:380
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\slpr\slpr.exe'" /f
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\slpr\slpr.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\slpr.exe.log

Filesize
517B

MD5
13f84b613e6a4dd2d82f7c44b2295a04

SHA1
f9e07213c2825ecb28e732f3e66e07625747c4b3

SHA256
d9c52c1eb0b6a04d3495ab971da2c6d01b0964a8b04fd173bfb351820b255c33

SHA512
3a2aca3d21bff43e36de5d9c97b0d1a9c972ee5ab0d9322a3615c0820042a7c9c4c0f2d41522fb4f2347b9a1679b63c91dcf5dc75444ba64c736e2cdcf10ee7d

Download Submit
C:\Users\Admin\AppData\Roaming\slpr\slpr.exe

Filesize
300.0MB

MD5
5c94b9f981e63a440a7a40971a9c2d36

SHA1
0df6bc0f2f497bb0cd935fb00433bead94f6d28b

SHA256
e3ae3157428659c73519c6eceb3066f5b0261e006d574b039c15c6b54abbea1a

SHA512
40f3eb162834b819b583dcced66646763c18cf8b92d14ca8b6a1ec0ea020e14e2076da69cf3637bee7ed6b62e342106bd8846a121ee49d1f47735b3560c63d5d

Download Submit
C:\Users\Admin\AppData\Roaming\slpr\slpr.exe

Filesize
300.0MB

MD5
5c94b9f981e63a440a7a40971a9c2d36

SHA1
0df6bc0f2f497bb0cd935fb00433bead94f6d28b

SHA256
e3ae3157428659c73519c6eceb3066f5b0261e006d574b039c15c6b54abbea1a

SHA512
40f3eb162834b819b583dcced66646763c18cf8b92d14ca8b6a1ec0ea020e14e2076da69cf3637bee7ed6b62e342106bd8846a121ee49d1f47735b3560c63d5d

Download Submit
C:\Users\Admin\AppData\Roaming\slpr\slpr.exe

Filesize
300.0MB

MD5
5c94b9f981e63a440a7a40971a9c2d36

SHA1
0df6bc0f2f497bb0cd935fb00433bead94f6d28b

SHA256
e3ae3157428659c73519c6eceb3066f5b0261e006d574b039c15c6b54abbea1a

SHA512
40f3eb162834b819b583dcced66646763c18cf8b92d14ca8b6a1ec0ea020e14e2076da69cf3637bee7ed6b62e342106bd8846a121ee49d1f47735b3560c63d5d

Download Submit
C:\Users\Admin\AppData\Roaming\slpr\slpr.exe

Filesize
165.5MB

MD5
0ec66d25e6f74e617c472ec7b1c406a8

SHA1
7e1b0666eaf3b65eff3c065395e8a6a4af436f29

SHA256
02e663e17c7e134a184dae9fa3729298c8f45729b6961897db0b966c2f7b2f9d

SHA512
2c0da27586dcbf59e81b29177e240f490e8d8b1301c359abe47f8ff2810e7a0ddd88d846cb0f8a1fda9454df6219f15229e2710488fa9c07355b15a5080379cf

Download Submit
memory/1172-165-0x0000000000680000-0x0000000000700000-memory.dmp

Filesize
512KB

Download
memory/1172-171-0x0000000000680000-0x0000000000700000-memory.dmp

Filesize
512KB

Download
memory/2184-139-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2184-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2184-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2184-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2184-135-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4760-132-0x0000000000B20000-0x0000000000BD8000-memory.dmp

Filesize
736KB

Download
memory/4760-133-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/4836-153-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4836-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4836-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5092-177-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5092-178-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5092-180-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads