remcos | a5f14c325fadb7b73e34707510beaf7b3c08519446e312776fec498156c593f1

General

Target

QWZ-5664789.exe
Size

601KB
MD5

b8ea296c7e97a2ad3b54e7ffda645606
SHA1

aa34b7e46f6383e6a354dc7dc245bd39a7138cab
SHA256

a5f14c325fadb7b73e34707510beaf7b3c08519446e312776fec498156c593f1
SHA512

3be1984b2f1d62ec2c161d81ee933f6dd285c2a7e0de139679b03c7e9233b38350654c579e2f07fb52f55967abf38da00d2b8f43eaacb8a2c9f4b2fb9b27b7e8
SSDEEP

12288:2h0c+4c7tNemM3T2Hyj69rjoAMfiXDcdhCzNJIuqFP:2PENemMwI69rjoHKIp7FP

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.93.217.218:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MV3HJH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Loads dropped DLL 2 IoCs

pid	Process
2248	QWZ-5664789.exe
2248	QWZ-5664789.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2104	QWZ-5664789.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2248	QWZ-5664789.exe
2104	QWZ-5664789.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 2104	2248	QWZ-5664789.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2248	QWZ-5664789.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2104	QWZ-5664789.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2104	2248	QWZ-5664789.exe	28
PID 2248 wrote to memory of 2104	2248	QWZ-5664789.exe	28
PID 2248 wrote to memory of 2104	2248	QWZ-5664789.exe	28
PID 2248 wrote to memory of 2104	2248	QWZ-5664789.exe	28
PID 2248 wrote to memory of 2104	2248	QWZ-5664789.exe	28
PID 2248 wrote to memory of 2104	2248	QWZ-5664789.exe	28

C:\Users\Admin\AppData\Local\Temp\QWZ-5664789.exe
"C:\Users\Admin\AppData\Local\Temp\QWZ-5664789.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\QWZ-5664789.exe
  "C:\Users\Admin\AppData\Local\Temp\QWZ-5664789.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
16222de68aabe81cf72a2d021856dec9

SHA1
30d560c52d623f7854e3a6b84d9ddde0485249f9

SHA256
c3e7c5da5f42cb11407558015723050ad3ad4eeccf0b7441848c38416bfff66d

SHA512
f814e9ca9a78c8e878cc64b4860611a263a4651532fb5279a7df140cae195a01899810f1ad77dcc9b2385f973fce655a06b74def624d50b38ff35829ab052ac5

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3A53.tmp\Math.dll

Filesize
66KB

MD5
acf575c18914f32b98d986a8bcfb121d

SHA1
5327d872adc9456b2873a2233b525ece54de6312

SHA256
c7f204986be5b49ed888a9faa479d8f1d40e57456f01e44bf6b9c4eef3f5ecf3

SHA512
6594b42cca0e4780edfe9f161b1d063736cf246ba6fb8292ba19a8921ad11f9ede15cd4e6ec44b96ae0b48844b6f5e78fd67bf85b94a3429805f7310c1a369e4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3A53.tmp\System.dll

Filesize
11KB

MD5
375e8a08471dc6f85f3828488b1147b3

SHA1
1941484ac710fc301a7d31d6f1345e32a21546af

SHA256
4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

SHA512
5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

Download Submit
memory/2104-30-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-33-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-18-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/2104-19-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-23-0x00000000007C0000-0x00000000051AF000-memory.dmp

Filesize
73.9MB

Download
memory/2104-24-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-27-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-57-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-54-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-51-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-36-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-39-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-42-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-45-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2104-48-0x0000000072FC0000-0x0000000074022000-memory.dmp

Filesize
16.4MB

Download
memory/2248-16-0x0000000077B80000-0x0000000077C56000-memory.dmp

Filesize
856KB

Download
memory/2248-15-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/2248-17-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing