remcos | 3696d769fc0cfbf1d2e53dc532c7f33ac7fbad2eb7744f8df3e188734e2c5472

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TNT Original Invoice PDF.exe
Size

3.0MB
MD5

643c5b59c7aa82d2b356472a7e2bfc5c
SHA1

318f9034a63a6613ef5b57a10b13dc5cf30a54d7
SHA256

3696d769fc0cfbf1d2e53dc532c7f33ac7fbad2eb7744f8df3e188734e2c5472
SHA512

b90d9a891e70acb29f82f49e9c197881bf671a12b8bc478ed486b63d5fb0545399e559709867a4b57934df14b3bdd50b3a0b7bb6737f5554d671bbb095ddde17
SSDEEP

24576:lDX7TWfq0acNRVAWEo6E+uSLgaHgDZXhETZjipt/flxGV7hya0eqrmBtngpyyedk:5dNH2XSTZiAVnYD1JzOR1cUabuwHH

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

51.75.209.245:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52YOYG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

TNT Original Invoice PDF.exe

description pid process target process

PID 1640 set thread context of 4800 1640 TNT Original Invoice PDF.exe vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

4800 vbc.exe

description	pid	process	target process
PID 1640 set thread context of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe

pid	process
4800	vbc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

TNT Original Invoice PDF.exe

description	pid	process	target process
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe
PID 1640 wrote to memory of 4800	1640	TNT Original Invoice PDF.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
3d099e873d1f27ff9393bc423a725ed1

SHA1
be9bdb5a37b7c0e726e4301a09fb795c6b2ff337

SHA256
6b889cf4aa54880d8024bae78673af0ff989e9cc5a4dae3d35e5c8df95642424

SHA512
dfecb1f6d3c58611767d5f81b0e893523a237a490cea8368687746d50e104af05262d55fa8498822f5509444007f0fc39c745cc4a2a9ea61e6d30dcd6f15ec88

Download Submit
memory/4800-147-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-181-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-144-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-145-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-133-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-148-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-149-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-160-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-187-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-139-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-154-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-161-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-167-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-168-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-173-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-174-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-179-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-134-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-186-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download
memory/4800-155-0x0000000000960000-0x00000000009DF000-memory.dmp

Filesize
508KB

Download