remcos | 6edd2025975d404dd03d29587b323816831ae47fb71f2feef4abf090d5455af2

General

Target

1cd7eb198eefb598963f5f963caaf0fd.exe
Size

1024.0MB
MD5

9ae018da102c2ea8f58578d25ce59df2
SHA1

1b0a2c45c27f8e7405754dc699a86f9c08e7aecb
SHA256

c26dcc6aa5d1658a2e3027a13b7edbec7b86aeec2214149952e91e7d01418183
SHA512

c76501d2f5ef7519ecfd69751948737d66f982beae0b723ff8aa5b6071aabb77a1e7d1e253c3a44aec609a0d4861677aa4a631b35e342df0820a59263400f28d
SSDEEP

24576:0GQxrRI0xlAuFbKgKhn8eSWdvAzh46vMGgY6lOPYiLbuN7O0bM2oBq02dmWx1UL5:0rIKlAuvKhnlS+d5OPvsmWxw

Score

10^/10

remcos oro rat

Malware Config

Extracted

Family

remcos

Botnet

ORO

C2

anueljose.con-ip.com:1883

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-F6VG7C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4872 set thread context of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4728	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5024	AppLaunch.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 5024	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	89
PID 4872 wrote to memory of 2116	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	91
PID 4872 wrote to memory of 2116	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	91
PID 4872 wrote to memory of 2116	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	91
PID 4872 wrote to memory of 3904	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	94
PID 4872 wrote to memory of 3904	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	94
PID 4872 wrote to memory of 3904	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	94
PID 4872 wrote to memory of 4484	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	92
PID 4872 wrote to memory of 4484	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	92
PID 4872 wrote to memory of 4484	4872	1cd7eb198eefb598963f5f963caaf0fd.exe	92
PID 3904 wrote to memory of 4728	3904	cmd.exe	97
PID 3904 wrote to memory of 4728	3904	cmd.exe	97
PID 3904 wrote to memory of 4728	3904	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\1cd7eb198eefb598963f5f963caaf0fd.exe
"C:\Users\Admin\AppData\Local\Temp\1cd7eb198eefb598963f5f963caaf0fd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5024
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1cd7eb198eefb598963f5f963caaf0fd.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  PID:4484
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
2a54872b889d073967692a4501b9641b

SHA1
193ad93019762ef8ae0fc22cb662ff71c7840fb2

SHA256
22eb8199faa38d59b3068b8eb38d23ddc77e0429b71a4d493982260a1454d04d

SHA512
f1a29bc355f9927bba8f45f102d5d5a6c0cd15da3c41a3a3712fd65e6cb007e732496d3fe6dd72b3c3043234b02db55b39f20e71f1755e30d335a6aeb78d3eb7

Download Submit
memory/4872-133-0x0000000000970000-0x00000000015FA000-memory.dmp

Filesize
12.5MB

Download
memory/4872-134-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/5024-147-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-151-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-139-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-141-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-142-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-143-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-144-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-145-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-146-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-136-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-150-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-137-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-156-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-135-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-161-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-162-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-169-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-170-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-177-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-178-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-185-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5024-186-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads