remcos | 43c39e05ae59835e16df8bd732cd035292db70bc2c2d6d95ac354622bfa376ec

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2023 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

987KB
MD5

03dc66eb73f94113115e145a35599724
SHA1

88fdf81626acf5a1b2b561002b5ea6425c7b23fe
SHA256

43c39e05ae59835e16df8bd732cd035292db70bc2c2d6d95ac354622bfa376ec
SHA512

0e505655394d3e0728c7dcaa3157f0b1293bc9255727acec3435d7a4db8dcf9a130c2240cb6028dd2ca90cd9646e3b05075c8f0ccd56412f373e4a923f5badbe
SSDEEP

12288:97z5GoJiGaq5auiuHeSV0TL4X10nL8BeBQe90wgYlS+al1JiWYyn54FVHmSI9/VQ:55GoR5aQT0aqF2euimJiWYI4E1OaWoW

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

seanblacin.sytes.net:6110

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chrcrh.exe
copy_folder
chrcrh
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
chrcrh
mouse_option
false
mutex
Rmc-FDI6XX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
chrcrh
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 2276 set thread context of 2404 2276 tmp.exe tmp.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tmp.exe

pid process

2404 tmp.exe

description	pid	process	target process
PID 2276 set thread context of 2404	2276	tmp.exe	tmp.exe

pid	process
2404	tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe
PID 2276 wrote to memory of 2404	2276	tmp.exe	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrcrh\logs.dat
Filesize
144B

MD5
261c58c800a06fe3847d870e4e89b360

SHA1
cf0f6f6762e3445f32953632c0016e57119df933

SHA256
ef90cf70ddb9100d82bb7aaaa2d2a5977324627eb6e954ea01a4c389ba081d54

SHA512
8e48279fec7f0c74e1271a746ec446bee9d3468243edc6549f99a969913a1d29d69fb42068260d7593758f565845ec5e8383ccd3ef907a5b0b0be4c0915b9133

Download Submit
memory/2276-133-0x0000000000AF0000-0x0000000000BEE000-memory.dmp

Filesize
1016KB

Download
memory/2276-134-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/2276-135-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/2276-136-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/2276-137-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/2276-138-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/2276-139-0x00000000076B0000-0x000000000774C000-memory.dmp

Filesize
624KB

Download
memory/2404-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-144-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-146-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-155-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-158-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-160-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-140-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-167-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-168-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-175-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2404-176-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download