remcos | 75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05/08/2023, 14:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe
Size

909KB
MD5

4853aa5ad98757a756f1acfe1bed460d
SHA1

816027f9fbce3d22624db698ede23a2d4cc25023
SHA256

75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e
SHA512

756dc810b13bf18bad2495b78afbfd0fee281de55eadc5a24b2ebd4ece60bffba01420f3edcc42994500d5978a277e832fb8627c058a2a7cac52bfcb25065097
SSDEEP

24576:F+1IOE/QNWkphcu3WGMPBGqHsOGCP9xMS5RkP5:F+1XrhcuW3GqBGCP9x/5RK5

Score

10^/10

remcos thcinc rat

Malware Config

Extracted

Family

remcos

Botnet

Thcinc

b6079658.sytes.net:6110

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
thcinc.exe
copy_folder
Thcinc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
thcinc
mouse_option
false
mutex
Rmc-X26LV5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1556 set thread context of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1040	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30
PID 1556 wrote to memory of 1040	1556	75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe	30

C:\Users\Admin\AppData\Local\Temp\75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1040

Network

DNS

b6079658.sytes.net

75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe

Remote address:

8.8.8.8:53

Request

b6079658.sytes.net

IN A

Response

b6079658.sytes.net

IN A

109.206.243.174
DNS

geoplugin.net

75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Sat, 05 Aug 2023 14:18:32 GMT
server: Apache
content-length: 930
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *

109.206.243.174:6110

b6079658.sytes.net

tls

75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe

3.3kB
1.4kB
12
14
178.237.33.50:80

http://geoplugin.net/json.gp

http

75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe

301 B
2.4kB
5
4

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200

8.8.8.8:53

b6079658.sytes.net

dns

75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe

64 B
80 B
1
1

DNS Request

b6079658.sytes.net

DNS Response

109.206.243.174
8.8.8.8:53

geoplugin.net

dns

75e57d3f76491b9bc7fe155b20ea8f9498892bd54a34824fca50bf0ae4a1902e_JC.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\thcinc\logs.dat

Filesize
144B

MD5
f92252039edc2b413f4b9e9ee147be74

SHA1
9ba83c4aa2f02de5c00d286f7dac0db03eaa689b

SHA256
a4f5d2d858f0688c1ab613dc4eb1dfdf260505496d8f37d3eccfeb8e15df8725

SHA512
1603d910b2562add14451c9385841d53b4bd61c7b48acf55c0eef6b9c1f6a73c441c94dd07a2c40c173115957a8fb95d4b35f8c7cb83096bd88456e3ae4c161f

Download Submit
memory/1040-78-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-81-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-121-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-120-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-113-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-80-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-112-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-61-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-62-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-63-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-64-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-68-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-66-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-70-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-72-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1040-76-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-105-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-104-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-97-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-96-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-83-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-84-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-85-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-86-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-87-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-90-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1040-93-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1556-59-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/1556-79-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/1556-54-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/1556-55-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/1556-53-0x00000000010D0000-0x00000000011BA000-memory.dmp

Filesize
936KB

Download
memory/1556-60-0x0000000005770000-0x0000000005828000-memory.dmp

Filesize
736KB

Download
memory/1556-58-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/1556-57-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/1556-56-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response