remcos | a6bf09d8242fd2933426629a504f995a5d624d555bd2f28a49876762ec0a03a6

General

Target

0b94975f5dde6feab979853991933616.exe
Size

1.0MB
MD5

0b94975f5dde6feab979853991933616
SHA1

6b15f943d7ae7e265e455026a70b2116bc7a407d
SHA256

a6bf09d8242fd2933426629a504f995a5d624d555bd2f28a49876762ec0a03a6
SHA512

7e8a156ea625dbe2d15f76a70bd79b6a123526ee1d71450b8e16b3df069f9cf6c2d25e9ee7796d644891537ee243618ae39ede7f4e1c75a66618c9ab1e452a37
SSDEEP

24576:cWRK9jeP8CWr4cBKXh83adVzgXF37tBJp:cWQ9+8Br45Xe36VS37H

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

seanblacin.sytes.net:6110

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chrcrh.exe
copy_folder
chrcrh
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
chrcrh
mouse_option
false
mutex
Rmc-FDI6XX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
chrcrh
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 268	1444	0b94975f5dde6feab979853991933616.exe	27

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
268	0b94975f5dde6feab979853991933616.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27
PID 1444 wrote to memory of 268	1444	0b94975f5dde6feab979853991933616.exe	27

C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe
"C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe
  "C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrcrh\logs.dat

Filesize
144B

MD5
bdda7e7f5c2553028840e514509cc7b1

SHA1
d9807452b230a812bad8ff46a2fff365115e7651

SHA256
b62803c0320a57cec55ba89f91117e000e4a1bf4f2567ca31f70d3972be1c4f7

SHA512
16e9a14a9cfebdd7c47d9f016b904d850d2100d1492e2b5c3ab9b545b38cf714455658e4b96fc53ed66d44f864f8d511dce34f65c132cef5557632977e38d48f

Download Submit
memory/268-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-109-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-108-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-102-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-61-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-62-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-63-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-65-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/268-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/268-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1444-55-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/1444-54-0x0000000000C60000-0x0000000000D6C000-memory.dmp

Filesize
1.0MB

Download
memory/1444-56-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/1444-60-0x0000000005490000-0x0000000005510000-memory.dmp

Filesize
512KB

Download
memory/1444-59-0x0000000005090000-0x0000000005144000-memory.dmp

Filesize
720KB

Download
memory/1444-58-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download
memory/1444-57-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing