remcos | 24c703c4dd50f019ecc8d261702a339ea8bb5f83d8187228ea561a320568c9a7

Analysis

max time kernel
81s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2023, 11:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

rooming list.exe
Size

300.0MB
MD5

16500be6641b3826354c8a2c8bc42a3e
SHA1

b557c2d8036db807611414891523eb09318d7630
SHA256

e4a386d2f0204e9f58187dcd4ea1d0670bc5369fbbb5b60056090441348368b2
SHA512

4b1422be191b6fc7884ae131da1044b01ee6fec73f8390995e644f114281c072cf1b0c41a08c9b39b9ae4577ada2a33842caf632d52184e1eeb5525728bf1bff
SSDEEP

12288:YvCEz4cRx+MHXCa/TaBCT0v+yAQqjLzy/xXpurm+:YdEHSC8WB00vlAQqH+/lpu7

Score

10^/10

remcos machie rat

Malware Config

Extracted

Family

remcos

Botnet

machie

logzhome.mywire.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QI94R6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
3976	mostros.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 2164	1684	rooming list.exe	83
PID 3976 set thread context of 4420	3976	mostros.exe	107

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1780	schtasks.exe
2300	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2164	csc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 2164	1684	rooming list.exe	83
PID 1684 wrote to memory of 4776	1684	rooming list.exe	84
PID 1684 wrote to memory of 4776	1684	rooming list.exe	84
PID 1684 wrote to memory of 4776	1684	rooming list.exe	84
PID 1684 wrote to memory of 3728	1684	rooming list.exe	85
PID 1684 wrote to memory of 3728	1684	rooming list.exe	85
PID 1684 wrote to memory of 3728	1684	rooming list.exe	85
PID 1684 wrote to memory of 2344	1684	rooming list.exe	86
PID 1684 wrote to memory of 2344	1684	rooming list.exe	86
PID 1684 wrote to memory of 2344	1684	rooming list.exe	86
PID 3728 wrote to memory of 1780	3728	cmd.exe	90
PID 3728 wrote to memory of 1780	3728	cmd.exe	90
PID 3728 wrote to memory of 1780	3728	cmd.exe	90
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4420	3976	mostros.exe	107
PID 3976 wrote to memory of 4692	3976	mostros.exe	109
PID 3976 wrote to memory of 4692	3976	mostros.exe	109
PID 3976 wrote to memory of 4692	3976	mostros.exe	109
PID 3976 wrote to memory of 2160	3976	mostros.exe	108
PID 3976 wrote to memory of 2160	3976	mostros.exe	108
PID 3976 wrote to memory of 2160	3976	mostros.exe	108
PID 3976 wrote to memory of 1420	3976	mostros.exe	110
PID 3976 wrote to memory of 1420	3976	mostros.exe	110
PID 3976 wrote to memory of 1420	3976	mostros.exe	110
PID 2160 wrote to memory of 2300	2160	cmd.exe	114
PID 2160 wrote to memory of 2300	2160	cmd.exe	114
PID 2160 wrote to memory of 2300	2160	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\rooming list.exe
"C:\Users\Admin\AppData\Local\Temp\rooming list.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\mostros"
  2⤵
  PID:4776
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\mostros\mostros.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\mostros\mostros.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\rooming list.exe" "C:\Users\Admin\AppData\Roaming\mostros\mostros.exe"
  2⤵
  PID:2344

C:\Users\Admin\AppData\Roaming\mostros\mostros.exe
C:\Users\Admin\AppData\Roaming\mostros\mostros.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4420
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\mostros\mostros.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\mostros\mostros.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\mostros"
  2⤵
  PID:4692
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\mostros\mostros.exe" "C:\Users\Admin\AppData\Roaming\mostros\mostros.exe"
  2⤵
  PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
db92379e275443c28080e01f69c9ca03

SHA1
04da77089423727e919bb7e3ad43683396c12ea4

SHA256
31044cf2ed3add75cb99e779b8ae25086cb4cba4b8d67b3e7af50b60bead6f01

SHA512
12aa2885273e90359a89c753edd1b5c02fa83c7706bfa8a46981db38d6d9bcb78b4c3bd98b2dc4233b872b8388872d7c4be8b381c7ed5ba9651c8bf40e91fccc

Download Submit
C:\Users\Admin\AppData\Roaming\mostros\mostros.exe

Filesize
67.2MB

MD5
817ce0ceca85f4fc566c385a177a676c

SHA1
879d46d2d575b9ed6f660917a734e3fcf1d8ddae

SHA256
f13755abe4e9d47e3410c19f5eb17af50eed6667e7549731cb088567ef6ca7eb

SHA512
94a70366bfb90ca658aa5700d3159f2b2641e561f99b968edb8e43966a4dbb278deaca5bac1db70b6ee8e0ce5c14e4ad74f3933ca86bc150feb996aa96083f71

Download Submit
C:\Users\Admin\AppData\Roaming\mostros\mostros.exe

Filesize
67.0MB

MD5
7e7670b1a507f5e6d28555459b6c06d4

SHA1
3056e645ac89eb86d1bf2b8fd24dfc3c9dd7ebe3

SHA256
d1fcf07babdc5df00ef185c3a6110e7c7072b9b126e5938fdc5b71d1194908f0

SHA512
30ca5e21d047c496ae79988489daa82781901dc0bd909e588bdaa331e546953ec685eceff17bdbc4fc1c855ed62a75e3a462dee95eec69abd966ea1788fba453

Download Submit
memory/1684-133-0x0000000000D80000-0x0000000000E38000-memory.dmp

Filesize
736KB

Download
memory/1684-134-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/2164-169-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-201-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-137-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-139-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-144-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-153-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-155-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-156-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-157-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-160-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-161-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-163-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-164-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-165-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-166-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-168-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-135-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-171-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-205-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-176-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-177-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-178-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-180-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-182-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-191-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-192-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-212-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-193-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-194-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-196-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-197-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-198-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-200-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-172-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-202-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-204-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-207-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-208-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-210-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2164-211-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4420-187-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4420-188-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4420-190-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads