remcos | e45afde600fe6309191801a04d60dc61f43a74347de9cafc042c2ff579a69b89

General

Target

DOCX_6802_1755_02_2023FINAL.exe
Size

1.3MB
MD5

5c0c977e9713c9764f7382c0da3b5c17
SHA1

a38d48edefd468f5d01f9f870a3bc54941f100e8
SHA256

e45afde600fe6309191801a04d60dc61f43a74347de9cafc042c2ff579a69b89
SHA512

b25d0ca63386479c21d96a46a2bc81aae4f3bf37bccbaca7bcd31981b84cf7e45edfc5cfb731a0df01e43e9afbb0eddf79b3efd523f63a8188e601fea452c7ca
SSDEEP

12288:T3gndrEp7MW7O3AJYWhtAdsL38MsDpN9JUNXU+wEV:T3gGp9O3AJYEtT3sDL92N9V

Score

10^/10

remcos 777 rat

Malware Config

Extracted

Family

remcos

Botnet

777

C2

graciiasdios777.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DU2JK9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

DOCX_6802_1755_02_2023FINAL.exe

description pid process target process

PID 4544 set thread context of 2732 4544 DOCX_6802_1755_02_2023FINAL.exe csc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4152 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csc.exe

pid process

2732 csc.exe

description	pid	process	target process
PID 4544 set thread context of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe

pid	process
4152	schtasks.exe

pid	process
2732	csc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

DOCX_6802_1755_02_2023FINAL.execmd.exe

description	pid	process	target process
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 2732	4544	DOCX_6802_1755_02_2023FINAL.exe	csc.exe
PID 4544 wrote to memory of 4296	4544	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 4544 wrote to memory of 4296	4544	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 4544 wrote to memory of 4296	4544	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 4544 wrote to memory of 3572	4544	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 4544 wrote to memory of 3572	4544	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 4544 wrote to memory of 3572	4544	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 3572 wrote to memory of 4152	3572	cmd.exe	schtasks.exe
PID 3572 wrote to memory of 4152	3572	cmd.exe	schtasks.exe
PID 3572 wrote to memory of 4152	3572	cmd.exe	schtasks.exe
PID 4544 wrote to memory of 3292	4544	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 4544 wrote to memory of 3292	4544	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe
PID 4544 wrote to memory of 3292	4544	DOCX_6802_1755_02_2023FINAL.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\DOCX_6802_1755_02_2023FINAL.exe
"C:\Users\Admin\AppData\Local\Temp\DOCX_6802_1755_02_2023FINAL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
2⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4152

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\DOCX_6802_1755_02_2023FINAL.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
2⤵
PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
9009da7edc861bf65f593f9548069032

SHA1
75b60f5f98763fbd1da13c0b68cf120931126da4

SHA256
029e44932d646d560f6cd3fd7dd50fc1c0fd3c989a71cccf9e4b73b2e31a51f5

SHA512
8bd26f1218413687f2cdbaa6cddf190b90c817e27a8ed804ea6a3594dadf94e21d0366ee4f5435655c487162228dfa1194cd95db393561efd8a0f9d1ff6b3762

Download Submit
memory/2732-153-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-176-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-157-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-140-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-158-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-142-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-143-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-190-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-146-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-147-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-189-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-184-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-139-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-141-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-145-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-163-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-164-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-170-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-171-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-182-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2732-177-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4544-138-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/4544-136-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/4544-151-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/4544-137-0x0000000000FA0000-0x00000000010CE000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads