remcos | 14fb2daf697ee302647b7d63c26e94f443c9516a5a707b85952b1158e5ffe12a

Analysis

max time kernel
169s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 18:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cad377f243b54e3dddfe149f4cd54c8a.exe
Size

925KB
MD5

cad377f243b54e3dddfe149f4cd54c8a
SHA1

bb9e4fc981c04378758051885dc6e5062145b11b
SHA256

14fb2daf697ee302647b7d63c26e94f443c9516a5a707b85952b1158e5ffe12a
SHA512

8937d17ec7b4305632bfb6f090baab30ff263a01e77877b4caf205a4100ddb3743632a6206f0c770c1896357121903228a14235d4f5cbee0a08a8fe6606a302d
SSDEEP

24576:PdWUwhh26ZKwupWOZBSV/UXsiff0dFB0cK74aRlLMGZYWkV3M:PdWXKwIrZsVc8isK74aPM5F

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

seanblacin.sytes.net:6110

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chrcrh.exe
copy_folder
chrcrh
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
chrcrh
mouse_option
false
mutex
Rmc-FDI6XX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
chrcrh
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1288 set thread context of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1140	cad377f243b54e3dddfe149f4cd54c8a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85
PID 1288 wrote to memory of 1140	1288	cad377f243b54e3dddfe149f4cd54c8a.exe	85

C:\Users\Admin\AppData\Local\Temp\cad377f243b54e3dddfe149f4cd54c8a.exe
"C:\Users\Admin\AppData\Local\Temp\cad377f243b54e3dddfe149f4cd54c8a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\cad377f243b54e3dddfe149f4cd54c8a.exe
  "C:\Users\Admin\AppData\Local\Temp\cad377f243b54e3dddfe149f4cd54c8a.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrcrh\logs.dat

Filesize
144B

MD5
172e7c7d22bcfc99a815fc9dfed2b90d

SHA1
910f8f3679997a6cd96dce09a4af1464110ba57f

SHA256
a0c551e0a8584e3fc41a21c90b2cb016e8e07808fafa260cf053e833107ee787

SHA512
96e419e96722bed2ce41d3b7489caaddbefaaeb3e17420bf4f36396252d9a867073f111080ec4f101a125e4eb3470349bc4e5659456916b24df6247e0e37edb1

Download Submit
memory/1140-156-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-171-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-170-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-163-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-162-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-140-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-144-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-155-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1140-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1288-135-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download
memory/1288-133-0x0000000000330000-0x000000000041E000-memory.dmp

Filesize
952KB

Download
memory/1288-134-0x0000000005390000-0x0000000005934000-memory.dmp

Filesize
5.6MB

Download
memory/1288-139-0x0000000000AE0000-0x0000000000B7C000-memory.dmp

Filesize
624KB

Download
memory/1288-138-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1288-137-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1288-136-0x0000000004F90000-0x0000000004F9A000-memory.dmp

Filesize
40KB

Download