remcos | 2172-54-0x0000000000400000-0x0000000000489000-memory[.]dmp | Triage

Sharing

General

Target

2172-54-0x0000000000400000-0x0000000000489000-memory.dmp
Size

548KB
MD5

2f48e93a7f221bd7b36ad5d5ed6429b5
SHA1

af0c4195e81711c57fdd2fb931605f13aad8d69a
SHA256

52bbedd9297304e463814f211701952e3c5757fc665f9101a010ac7249f131fa
SHA512

9a90f00ac3d9acf2d59cf9b86a6237bfadcc6a034e5b6c90c8da228e0c978850386f3fcbdf7849c4148856ead37d5263bf0b40ac64af34293ff3ccfbe8174a2e
SSDEEP

12288:YtRXxReZj3WZfj/2eSseWFaIe2+f8CL44Gs/ZfL:Ytx7cyF2eSsewS8W44NZT

Score

10^/10

upx eth remcos

Malware Config

Extracted

Family

remcos

Botnet

ETH

C2

zoonm.ddns.net:33871

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
vlc.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KDOQDL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos family
remcos

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
sample	upx

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2172-54-0x0000000000400000-0x0000000000489000-memory.dmp

Files

2172-54-0x0000000000400000-0x0000000000489000-memory.dmp
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 308KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

UPX1
Size: 213KB - Virtual size: 216KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 18KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE