remcos | 6b961c5d21caacccd497483e19905905dc333c1abb95da32a01667979f6ba578

General

Target

RADICADO;87520032667 -2023-001320.exe
Size

1023.9MB
MD5

71454a54651362b5a08510f163a82970
SHA1

f61556c94db9d224768edaaf2cf20f0b42329e6c
SHA256

9d0ae6e8ec8ea110aa3d269ca4f89182627fff39baafd86fb22ce6cc4328920d
SHA512

7c9fff7da952ff55862dd1ba4f0ba3f0b64728a084cf71494f1e6d073f72159a71463b030fba1f593c47887709b8209fd5c5cdd30e7f0f8e68000201f4c397b3
SSDEEP

12288:JOQDQ0skhCKd1pnSJpI5xAzXlxJpGjcV+8ETd5jYLl5Hmkxfr1:kKdey5qzXlxv+/xrW5H/r1

Score

10^/10

remcos corone rat

Malware Config

Extracted

Family

remcos

Botnet

CORONE

C2

farsante9.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-W9C5KV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

RADICADO;87520032667 -2023-001320.exe

description pid process target process

PID 1964 set thread context of 2456 1964 RADICADO;87520032667 -2023-001320.exe csc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4904 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csc.exe

pid process

2456 csc.exe

description	pid	process	target process
PID 1964 set thread context of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe

pid	process
4904	schtasks.exe

pid	process
2456	csc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

RADICADO;87520032667 -2023-001320.execmd.exe

description	pid	process	target process
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2456	1964	RADICADO;87520032667 -2023-001320.exe	csc.exe
PID 1964 wrote to memory of 2684	1964	RADICADO;87520032667 -2023-001320.exe	cmd.exe
PID 1964 wrote to memory of 2684	1964	RADICADO;87520032667 -2023-001320.exe	cmd.exe
PID 1964 wrote to memory of 2684	1964	RADICADO;87520032667 -2023-001320.exe	cmd.exe
PID 1964 wrote to memory of 4420	1964	RADICADO;87520032667 -2023-001320.exe	cmd.exe
PID 1964 wrote to memory of 4420	1964	RADICADO;87520032667 -2023-001320.exe	cmd.exe
PID 1964 wrote to memory of 4420	1964	RADICADO;87520032667 -2023-001320.exe	cmd.exe
PID 1964 wrote to memory of 4980	1964	RADICADO;87520032667 -2023-001320.exe	cmd.exe
PID 1964 wrote to memory of 4980	1964	RADICADO;87520032667 -2023-001320.exe	cmd.exe
PID 1964 wrote to memory of 4980	1964	RADICADO;87520032667 -2023-001320.exe	cmd.exe
PID 4420 wrote to memory of 4904	4420	cmd.exe	schtasks.exe
PID 4420 wrote to memory of 4904	4420	cmd.exe	schtasks.exe
PID 4420 wrote to memory of 4904	4420	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\RADICADO;87520032667 -2023-001320.exe
"C:\Users\Admin\AppData\Local\Temp\RADICADO;87520032667 -2023-001320.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AppData"
2⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\RADICADO;87520032667 -2023-001320.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
2⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c27f6dd3fa84704f78006df11d10ccf3

SHA1
428a0907054930fa67c60b75d1708e51223af38a

SHA256
a7c14e08bd1f919daf3ed0e76b92459aba34ad93f5c2a4944d989362bb510e50

SHA512
b13ead9703dc5070cd653724d0f3483c5869f998f22c41b7e9d8c5d8f64ac56b22619b8ffc605d4c1bd8b6104f52e68c44aaff8144f8c333e6377c9aa66de88c

Download Submit
memory/1964-11-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1964-0-0x00000000007A0000-0x0000000000832000-memory.dmp

Filesize
584KB

Download
memory/1964-2-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/1964-3-0x00000000057C0000-0x0000000005D64000-memory.dmp

Filesize
5.6MB

Download
memory/1964-1-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/2456-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-6-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads