remcos | 269616c92c90474d1bd9100a160b478aa29124751e7862d99093376470a99bf6

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe
Size

1023.9MB
MD5

e187abc066f3a9b3751199160e80416e
SHA1

9615d3c182031fd626fc9f4eb691ee1f94b516f1
SHA256

6abbdd5105f4caf66cc11b6dbaf1ee4713ffcd5da388271c06e7498b38a76e92
SHA512

92ec4972052995e313a20cdd6c3461bab8e0811697bd9b3704a6c2082ec91f8d0439853415c4d67b965af1a9ce043d445b3fa5d8ce617dfa2d6ef8b06002f8e1
SSDEEP

24576:3qpXIhjkNbsNcg8McK/kUacq9Zm7W8WQYI:ahI1UgBVu39Y7GQY

Score

10^/10

remcos baloto rat

Malware Config

Extracted

Family

remcos

Botnet

BALOTO

nazareno77.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GC9ATE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2568	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2848	csc.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2848	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	28
PID 1936 wrote to memory of 2528	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	34
PID 1936 wrote to memory of 2528	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	34
PID 1936 wrote to memory of 2528	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	34
PID 1936 wrote to memory of 2528	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	34
PID 1936 wrote to memory of 2544	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	33
PID 1936 wrote to memory of 2544	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	33
PID 1936 wrote to memory of 2544	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	33
PID 1936 wrote to memory of 2544	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	33
PID 1936 wrote to memory of 2564	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	32
PID 1936 wrote to memory of 2564	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	32
PID 1936 wrote to memory of 2564	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	32
PID 1936 wrote to memory of 2564	1936	77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe	32
PID 2544 wrote to memory of 2568	2544	cmd.exe	35
PID 2544 wrote to memory of 2568	2544	cmd.exe	35
PID 2544 wrote to memory of 2568	2544	cmd.exe	35
PID 2544 wrote to memory of 2568	2544	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe
"C:\Users\Admin\AppData\Local\Temp\77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\77B3279A611F820EC3ADFFA041C6E00DF83AC3F85B6A141F37A7D3078D492246.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  PID:2564
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
d55d8c4bb7c7fe8e287d14f5331bec3a

SHA1
9616e6eb86146d17ccc95ed7331ede164eb81abe

SHA256
fec7e16db45dbb68200ebacf2808d4c05c52b1a29662ec240067738d0655af36

SHA512
355a064b9b4bf9375aa8c23d35063cf720ceafeefdaa4c2f5920d62b8a364a4cd056e11d040c4c8fc70305eaf0f35d03a5e6fdd330e483f75fa3197cfe6400f4

Download Submit
memory/1936-25-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/1936-1-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/1936-2-0x0000000000E00000-0x0000000000E40000-memory.dmp

Filesize
256KB

Download
memory/1936-0-0x0000000001380000-0x0000000001482000-memory.dmp

Filesize
1.0MB

Download
memory/2848-27-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-37-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-12-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-11-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-10-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-13-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-14-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2848-20-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-7-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-15-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-26-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-5-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-30-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-31-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-36-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-9-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-3-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-42-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-43-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-48-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-50-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-55-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-56-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-61-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-62-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-67-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-68-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-73-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2848-74-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads