remcos | e45afde600fe6309191801a04d60dc61f43a74347de9cafc042c2ff579a69b89

General

Target

DOCX_6802_1755_02_2023FINAL.exe
Size

1.3MB
MD5

5c0c977e9713c9764f7382c0da3b5c17
SHA1

a38d48edefd468f5d01f9f870a3bc54941f100e8
SHA256

e45afde600fe6309191801a04d60dc61f43a74347de9cafc042c2ff579a69b89
SHA512

b25d0ca63386479c21d96a46a2bc81aae4f3bf37bccbaca7bcd31981b84cf7e45edfc5cfb731a0df01e43e9afbb0eddf79b3efd523f63a8188e601fea452c7ca
SSDEEP

12288:T3gndrEp7MW7O3AJYWhtAdsL38MsDpN9JUNXU+wEV:T3gGp9O3AJYEtT3sDL92N9V

Score

10^/10

remcos 777 rat

Malware Config

Extracted

Family

remcos

Botnet

777

C2

graciiasdios777.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DU2JK9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

DOCX_6802_1755_02_2023FINAL.exe

description pid process target process

PID 2300 set thread context of 1744 2300 DOCX_6802_1755_02_2023FINAL.exe csc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2328 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csc.exe

pid process

1744 csc.exe

description	pid	process	target process
PID 2300 set thread context of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe

pid	process
2328	schtasks.exe

pid	process
1744	csc.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

DOCX_6802_1755_02_2023FINAL.execmd.exe

description	pid	process	target process
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1744	2300	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 2300 wrote to memory of 1644	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 2300 wrote to memory of 1644	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 2300 wrote to memory of 1644	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 2300 wrote to memory of 1644	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 2300 wrote to memory of 2428	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 2300 wrote to memory of 2428	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 2300 wrote to memory of 2428	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 2300 wrote to memory of 2428	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 2428 wrote to memory of 2328	2428	cmd.exe	schtasks.exe
PID 2428 wrote to memory of 2328	2428	cmd.exe	schtasks.exe
PID 2428 wrote to memory of 2328	2428	cmd.exe	schtasks.exe
PID 2428 wrote to memory of 2328	2428	cmd.exe	schtasks.exe
PID 2300 wrote to memory of 2464	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 2300 wrote to memory of 2464	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 2300 wrote to memory of 2464	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 2300 wrote to memory of 2464	2300	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\DOCX_6802_1755_02_2023FINAL.exe
"C:\Users\Admin\AppData\Local\Temp\DOCX_6802_1755_02_2023FINAL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
2⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2328

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\DOCX_6802_1755_02_2023FINAL.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
2⤵
PID:2464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
02e0ae6055aa8bdfcdcb8b0217dd39ca

SHA1
88f19921c45456ae8cddb75fcb5e61f51598d964

SHA256
16b3f3913a040df9f5852e228c7944a89b2e148cff715a3881978761387be2fa

SHA512
b17c443fff53cc4979fd821a4b2216f36d3fefd1c4aa044e0373977d2e04e86bc8c2b82644e38ef91edbd0be3dbbac4914f505fcf3563e4000eab5a9255124d6

Download Submit
memory/1744-83-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-119-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-57-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-59-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-60-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-61-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-82-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-63-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-64-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-65-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1744-69-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-74-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-79-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-125-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-80-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-62-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-84-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-124-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-92-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-93-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-117-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-98-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-99-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-105-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-106-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-111-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/1744-112-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/2300-54-0x0000000000BB0000-0x0000000000CDE000-memory.dmp

Filesize
1.2MB

Download
memory/2300-55-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-87-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-56-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads