remcos | a6bf09d8242fd2933426629a504f995a5d624d555bd2f28a49876762ec0a03a6

General

Target

0b94975f5dde6feab979853991933616.exe
Size

1.0MB
MD5

0b94975f5dde6feab979853991933616
SHA1

6b15f943d7ae7e265e455026a70b2116bc7a407d
SHA256

a6bf09d8242fd2933426629a504f995a5d624d555bd2f28a49876762ec0a03a6
SHA512

7e8a156ea625dbe2d15f76a70bd79b6a123526ee1d71450b8e16b3df069f9cf6c2d25e9ee7796d644891537ee243618ae39ede7f4e1c75a66618c9ab1e452a37
SSDEEP

24576:cWRK9jeP8CWr4cBKXh83adVzgXF37tBJp:cWQ9+8Br45Xe36VS37H

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

seanblacin.sytes.net:6110

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chrcrh.exe
copy_folder
chrcrh
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
chrcrh
mouse_option
false
mutex
Rmc-FDI6XX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
chrcrh
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 208	1960	0b94975f5dde6feab979853991933616.exe	86

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
208	0b94975f5dde6feab979853991933616.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86
PID 1960 wrote to memory of 208	1960	0b94975f5dde6feab979853991933616.exe	86

C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe
"C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe
  "C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrcrh\logs.dat

Filesize
144B

MD5
039f70a26396e022421199b97171d26f

SHA1
205e1bea6be5bea1bdfd5f00157828156e57e6fd

SHA256
17c367b1097f97ffb429165b0ea8a1b39506209c091e7dca12cc80e183e97e65

SHA512
c4308c8235f715096602c9dad1bef4d6be628c2394ef47bbf71d51205c227c9d588dcc5402dd1db5ff2954eb86193104cef07c1b30b26444360148ca4cb4ab63

Download Submit
memory/208-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-182-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-175-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-167-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-140-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-144-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-146-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-166-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-154-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-157-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/208-158-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1960-134-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/1960-135-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/1960-136-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/1960-139-0x00000000072A0000-0x000000000733C000-memory.dmp

Filesize
624KB

Download
memory/1960-138-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/1960-137-0x0000000004E50000-0x0000000004E5A000-memory.dmp

Filesize
40KB

Download
memory/1960-133-0x0000000000380000-0x000000000048C000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing