remcos | 4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b

General

Target

4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe
Size

902KB
MD5

435495d1e907cb11b89520c327e73b29
SHA1

72d479dd2061dd40ef2e3c51d3c0e3615f492d87
SHA256

4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b
SHA512

d8583fcbac289324bcfa54af3c75a4b6de91e15adb587941519cd2a41130fdca3ff067d99f1952b0cd48ac5b1db9c54f2e1629b0c34d1b518b9f4ac96fb6c6b7
SSDEEP

24576:K3zN3Ap7IDHaVstHpVlrYUbzqXkzjs9KhfcB0:6RA7oHaVstHWUbz7zjs9MfcB0

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

bmarch459.sytes.net:6110

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Ap10tlc.exe
copy_folder
Ap10tlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
ap10tlc
mouse_option
false
mutex
Rmc-GF9PME
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Ap10tlc
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5068 set thread context of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4632	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84
PID 5068 wrote to memory of 4632	5068	4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe	84

C:\Users\Admin\AppData\Local\Temp\4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe
"C:\Users\Admin\AppData\Local\Temp\4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe
  "C:\Users\Admin\AppData\Local\Temp\4801d59db962b71b05112d91142dbe4efd48dcf5ccd93cc564df92be0450f16b.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ap10tlc\logs.dat

Filesize
144B

MD5
ba156a5861a4141398b3558ba78d94ce

SHA1
6de38612bb8f579b2e7c2eb9c197e6651f33adc4

SHA256
a78b06b5ae6c578f01263a83059f6529d0990c4c023fefd74d8c498268bc896a

SHA512
175eef06bd1af49c1890703a72721ebe46b6439a1b46716ef83ff4d3281ed98c3c9f4fb8043fcadb675b98e109aa6c44c459c26dc6e6a89a4352e4d4fadefe1d

Download Submit
memory/4632-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-180-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-172-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-165-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-140-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-144-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-146-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-164-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-154-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-155-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4632-156-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5068-134-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/5068-135-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/5068-136-0x0000000005300000-0x000000000530A000-memory.dmp

Filesize
40KB

Download
memory/5068-139-0x0000000008490000-0x000000000852C000-memory.dmp

Filesize
624KB

Download
memory/5068-138-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/5068-137-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/5068-133-0x0000000000350000-0x0000000000438000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing