remcos | 1640-82-0x0000000000400000-0x0000000000480000-memory[.]dmp

General

Target

1640-82-0x0000000000400000-0x0000000000480000-memory.dmp
Size

512KB
MD5

d812ce3f670106eb9fbbc4d8a37803db
SHA1

ca103ee3d1b3368046f3805569d51adf1a29d28b
SHA256

bff73e62d1e83bb685faae7c03bef0203bf485f3be30df214e16b1c6af1afdec
SHA512

094f6a84776e57c8c4adb13adfa711647387cb7ce5c722cc0d5c08f2a3f2e6f1a6a492de4d4ed2f606c4437f5fd5851f0c6c43059d052247e085c12eafcfe6dc
SSDEEP

6144:XjH9dY1fKmXbwxqbQWmudPOqwiXO3X2yjKCrp/5ttAAMS6NYUsAOZZgQXTc9:XjdAK8wxqkXuxOqLXO3X2orpbKs/Zg

Score

10^/10

remotehost remcos

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:56932

185.65.134.165:56932

10.16.0.13:56932

45.128.234.54:56932

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HDN1YS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos family
remcos

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
1640-82-0x0000000000400000-0x0000000000480000-memory.dmp

Files

1640-82-0x0000000000400000-0x0000000000480000-memory.dmp
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 341KB - Virtual size: 341KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 94KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 1024B - Virtual size: 560B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 341KB - Virtual size: 341KB

.rdata Size: 94KB - Virtual size: 93KB

.data Size: 3KB - Virtual size: 23KB

.tls Size: 512B - Virtual size: 9B

.gfids Size: 1024B - Virtual size: 560B

.rsrc Size: 19KB - Virtual size: 19KB

.reloc Size: 15KB - Virtual size: 14KB

.text
Size: 341KB - Virtual size: 341KB

.rdata
Size: 94KB - Virtual size: 93KB

.data
Size: 3KB - Virtual size: 23KB

.tls
Size: 512B - Virtual size: 9B

.gfids
Size: 1024B - Virtual size: 560B

.rsrc
Size: 19KB - Virtual size: 19KB

.reloc
Size: 15KB - Virtual size: 14KB