remcos | 547a1a1d08381d2103c9ef6bd7f1bb68783a8d788dd7b336ddca3fbad3684f53

General

Target

PR18213.exe
Size

386KB
MD5

111ec3b664493425244001508fe4da9f
SHA1

50ed10f291611c37cf1cf8fab9d1acd3ebc676a7
SHA256

547a1a1d08381d2103c9ef6bd7f1bb68783a8d788dd7b336ddca3fbad3684f53
SHA512

a5ce5f334220d3752ad12ae83dbada665c9fdcc020f207ab80280b23e95a99b55605e0fd7426881b45a27fdf4f0e5d0b9e0acd1db283b5474fe99f989ed6a7a5
SSDEEP

6144:TgL8GT9VZcXXALLbrcYz0beRXNXSMMlUvE9XypnsFjvj8ldXIR81I+bz:0P7UX6YtClNXSWHdsRbWXIRg

Score

10^/10

remcos december rat

Malware Config

Extracted

Family

remcos

Botnet

december

C2

91.92.243.110:3734

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QGHS48
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4444	2888	WerFault.exe	PR18213.exe
4772	2888	WerFault.exe	PR18213.exe
4492	2888	WerFault.exe	PR18213.exe
2036	2888	WerFault.exe	PR18213.exe
464	2888	WerFault.exe	PR18213.exe
1792	2888	WerFault.exe	PR18213.exe
1232	2888	WerFault.exe	PR18213.exe
432	2888	WerFault.exe	PR18213.exe
3252	2888	WerFault.exe	PR18213.exe
4508	2888	WerFault.exe	PR18213.exe
2072	2888	WerFault.exe	PR18213.exe
1196	2888	WerFault.exe	PR18213.exe
540	2888	WerFault.exe	PR18213.exe
1600	2888	WerFault.exe	PR18213.exe
4772	2888	WerFault.exe	PR18213.exe
5052	2888	WerFault.exe	PR18213.exe
3308	2888	WerFault.exe	PR18213.exe
844	2888	WerFault.exe	PR18213.exe
3788	2888	WerFault.exe	PR18213.exe
3832	2888	WerFault.exe	PR18213.exe
2868	2888	WerFault.exe	PR18213.exe
4132	2888	WerFault.exe	PR18213.exe
4472	2888	WerFault.exe	PR18213.exe
848	2888	WerFault.exe	PR18213.exe
2456	2888	WerFault.exe	PR18213.exe
3172	2888	WerFault.exe	PR18213.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PR18213.exe

pid process

2888 PR18213.exe

pid	process
2888	PR18213.exe

C:\Users\Admin\AppData\Local\Temp\PR18213.exe
"C:\Users\Admin\AppData\Local\Temp\PR18213.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 632
2⤵
- Program crash
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 640
2⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 640
2⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 796
2⤵
- Program crash
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 732
2⤵
- Program crash
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 648
2⤵
- Program crash
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 808
2⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 832
2⤵
- Program crash
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 992
2⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1000
2⤵
- Program crash
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1000
2⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1028
2⤵
- Program crash
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1128
2⤵
- Program crash
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1252
2⤵
- Program crash
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 808
2⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 928
2⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1392
2⤵
- Program crash
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1396
2⤵
- Program crash
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1348
2⤵
- Program crash
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1204
2⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1488
2⤵
- Program crash
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1352
2⤵
- Program crash
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1332
2⤵
- Program crash
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1008
2⤵
- Program crash
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 936
2⤵
- Program crash
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 980
2⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2888 -ip 2888
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2888 -ip 2888
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2888 -ip 2888
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2888 -ip 2888
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2888 -ip 2888
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2888 -ip 2888
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2888 -ip 2888
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2888 -ip 2888
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2888 -ip 2888
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2888 -ip 2888
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2888 -ip 2888
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2888 -ip 2888
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2888 -ip 2888
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2888 -ip 2888
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2888 -ip 2888
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2888 -ip 2888
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2888 -ip 2888
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2888 -ip 2888
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2888 -ip 2888
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2888 -ip 2888
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2888 -ip 2888
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2888 -ip 2888
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2888 -ip 2888
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2888 -ip 2888
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2888 -ip 2888
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2888 -ip 2888
1⤵
PID:3744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
e270cf0e543762580f8d1e6801f5d7d3

SHA1
570f9ff399ec138ed522dbc69979ea9baf0768d4

SHA256
5478fc5e216735e05e959ed524e96422c93a370fb34f24359dbc80a9e3a833ad

SHA512
e803da646b1c8ef851618d051d12503d5bbd887ee8c0fd64874ed124988b7662fe536ee59336c4840ac4492287c7c32769605d7f50869917bc905ad8c639a44b

Download Submit
memory/2888-14-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-6-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-20-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-23-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-10-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

Filesize
1024KB

Download
memory/2888-11-0x0000000002600000-0x000000000267A000-memory.dmp

Filesize
488KB

Download
memory/2888-2-0x0000000002600000-0x000000000267A000-memory.dmp

Filesize
488KB

Download
memory/2888-1-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

Filesize
1024KB

Download
memory/2888-47-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-3-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-9-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-26-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-29-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-35-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-38-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-41-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-44-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2888-17-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing