remcos | 6fc2e608ca99dc9bdb7468659788eada4780209ed30d0fd6a512c6f427f5f5b1

General

Target

c810a5a95a472e7e40c7fde9bc7b13ae.exe
Size

391KB
MD5

c810a5a95a472e7e40c7fde9bc7b13ae
SHA1

c55548a31b254564c6178faa4d971b40a0281e2b
SHA256

6fc2e608ca99dc9bdb7468659788eada4780209ed30d0fd6a512c6f427f5f5b1
SHA512

76612118d23503ca5502ad95adbe081e71100ebfbc9374e2a998b1be644a3bca6e7567730da244cee473f19e3dbfc309111c94f6b7d8b9377e3768b3cdcac56b
SSDEEP

6144:xTgLfIG1ex4pgPGx1Xqxq3XGxKLbN+vF0Zx+FA6Zkeu4tOvb0r:+LI4ex4GaJqE8AbUiZxKx634gb

Score

10^/10

remcos december rat

Malware Config

Extracted

Family

remcos

Botnet

december

C2

91.92.243.110:3734

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QGHS48
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Program crash 24 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3540	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
816	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
436	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
2340	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
2320	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
1824	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
5088	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
3292	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
4496	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
4400	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
864	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
2900	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
2072	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
2320	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
2292	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
4284	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
896	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
4640	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
2500	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
1584	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
3552	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
1644	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
4212	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe
3244	3168	WerFault.exe	c810a5a95a472e7e40c7fde9bc7b13ae.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c810a5a95a472e7e40c7fde9bc7b13ae.exe

pid process

3168 c810a5a95a472e7e40c7fde9bc7b13ae.exe

pid	process
3168	c810a5a95a472e7e40c7fde9bc7b13ae.exe

C:\Users\Admin\AppData\Local\Temp\c810a5a95a472e7e40c7fde9bc7b13ae.exe
"C:\Users\Admin\AppData\Local\Temp\c810a5a95a472e7e40c7fde9bc7b13ae.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 636
2⤵
- Program crash
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 652
2⤵
- Program crash
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 728
2⤵
- Program crash
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 752
2⤵
- Program crash
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 772
2⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 728
2⤵
- Program crash
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 820
2⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 840
2⤵
- Program crash
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 992
2⤵
- Program crash
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1000
2⤵
- Program crash
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1000
2⤵
- Program crash
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1020
2⤵
- Program crash
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1116
2⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1348
2⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 796
2⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1492
2⤵
- Program crash
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1528
2⤵
- Program crash
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1488
2⤵
- Program crash
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1512
2⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 928
2⤵
- Program crash
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1516
2⤵
- Program crash
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1532
2⤵
- Program crash
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 928
2⤵
- Program crash
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1008
2⤵
- Program crash
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3168 -ip 3168
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3168 -ip 3168
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3168 -ip 3168
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3168 -ip 3168
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3168 -ip 3168
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3168 -ip 3168
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3168 -ip 3168
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3168 -ip 3168
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3168 -ip 3168
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3168 -ip 3168
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3168 -ip 3168
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3168 -ip 3168
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3168 -ip 3168
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3168 -ip 3168
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3168 -ip 3168
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3168 -ip 3168
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3168 -ip 3168
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3168 -ip 3168
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3168 -ip 3168
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3168 -ip 3168
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3168 -ip 3168
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3168 -ip 3168
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3168 -ip 3168
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3168 -ip 3168
1⤵
PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
1c97d3d2104dab5b2090aabb335a6918

SHA1
5d2889ef0734959c3d9a9cdc79ee027b9af81bb3

SHA256
1cd7ec05b004d984b9fcfebf47344360ddbad1d635754298707320633c0cdaa6

SHA512
90c0ef4e852097b1fc2e71ee354792712f078d4d3720f20e0aa7f8f9a993e2916ba1fec70eb1f7cb0f113036060f87b417d778c40540abe98da3fe3e18ab916e

Download Submit
memory/3168-17-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-41-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-4-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-8-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-9-0x0000000000B20000-0x0000000000C20000-memory.dmp

Filesize
1024KB

Download
memory/3168-11-0x00000000025D0000-0x000000000264A000-memory.dmp

Filesize
488KB

Download
memory/3168-12-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-20-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-47-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-3-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-14-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-23-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-26-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-29-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-32-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-35-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-38-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-1-0x0000000000B20000-0x0000000000C20000-memory.dmp

Filesize
1024KB

Download
memory/3168-44-0x0000000000400000-0x0000000000884000-memory.dmp

Filesize
4.5MB

Download
memory/3168-2-0x00000000025D0000-0x000000000264A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing