remcos | 3696d769fc0cfbf1d2e53dc532c7f33ac7fbad2eb7744f8df3e188734e2c5472

General

Target

TNT Original Invoice PDF.exe
Size

3.0MB
MD5

643c5b59c7aa82d2b356472a7e2bfc5c
SHA1

318f9034a63a6613ef5b57a10b13dc5cf30a54d7
SHA256

3696d769fc0cfbf1d2e53dc532c7f33ac7fbad2eb7744f8df3e188734e2c5472
SHA512

b90d9a891e70acb29f82f49e9c197881bf671a12b8bc478ed486b63d5fb0545399e559709867a4b57934df14b3bdd50b3a0b7bb6737f5554d671bbb095ddde17
SSDEEP

24576:lDX7TWfq0acNRVAWEo6E+uSLgaHgDZXhETZjipt/flxGV7hya0eqrmBtngpyyedk:5dNH2XSTZiAVnYD1JzOR1cUabuwHH

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52YOYG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

TNT Original Invoice PDF.exe

description pid process target process

PID 928 set thread context of 1476 928 TNT Original Invoice PDF.exe vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1476 vbc.exe

description	pid	process	target process
PID 928 set thread context of 1476	928	TNT Original Invoice PDF.exe	vbc.exe

pid	process
1476	vbc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

TNT Original Invoice PDF.exe

description	pid	process	target process
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe
PID 928 wrote to memory of 1476	928	TNT Original Invoice PDF.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
5e181048e4abfad8f61abfc3c854c1ae

SHA1
1e771c219382429343618df16622a44171771104

SHA256
9767267967c67176ee1f2049191355bfd2a202728a534898576eefd8ef2279a7

SHA512
70a7d59b6a05d03661b1c4aef5028efe7873a7a8fdb2485dfd5bbc989b3f17624acedb6336605ecbde5466f4d9d28a303c82a2a72cf2a48d7afddd947958926b

Download Submit
memory/1476-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-99-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-56-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-87-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-92-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-55-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-98-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing