remcos | a60e1197ebcb2a8e1a986ca1136ece71f29252f929841dc0896a7531ed97a1c7

Analysis

max time kernel
154s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe
Size

1023.9MB
MD5

5d4432554faa63538ab4362aa67c501d
SHA1

bbb415010f500bca1ad3fc43443b6d66e98a8e9b
SHA256

c91265f4bd15473473917248476f78481af72156df9a4043cb47849ca3d814e7
SHA512

51f271ecb509e239420e8f9b9b8d123ed8402f35de9fcb20106ea8452d3c663903d7d6508c95a3cad9040aeaebb6b8cdfaaa2a559a9e0c5c81ed7de447bab649
SSDEEP

24576:JXQbwrXE1tVP6XQDV9XnfJi7ma5Ff/Lglfedx:Wwr0tCQnJi7ma5FLglf

Score

10^/10

remcos bbbbb rat

Malware Config

Extracted

Family

remcos

Botnet

BBBBB

ferfnekfkjerfjre.con-ip.com:1995

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B468MF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2728	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1884	AppLaunch.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 1884	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	28
PID 2364 wrote to memory of 2580	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	29
PID 2364 wrote to memory of 2580	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	29
PID 2364 wrote to memory of 2580	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	29
PID 2364 wrote to memory of 2580	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	29
PID 2364 wrote to memory of 2644	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	31
PID 2364 wrote to memory of 2644	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	31
PID 2364 wrote to memory of 2644	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	31
PID 2364 wrote to memory of 2644	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	31
PID 2644 wrote to memory of 2728	2644	cmd.exe	33
PID 2644 wrote to memory of 2728	2644	cmd.exe	33
PID 2644 wrote to memory of 2728	2644	cmd.exe	33
PID 2644 wrote to memory of 2728	2644	cmd.exe	33
PID 2364 wrote to memory of 2548	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	34
PID 2364 wrote to memory of 2548	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	34
PID 2364 wrote to memory of 2548	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	34
PID 2364 wrote to memory of 2548	2364	NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe	34

C:\Users\Admin\AppData\Local\Temp\NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe
"C:\Users\Admin\AppData\Local\Temp\NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1884
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\NOTIFIQUESE DE CONSIGNACIÓN INTERBANCARIO CUS860007368.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
691687ca6749e723ef0afd204bfee76e

SHA1
bf0d03b21ddc9de04aa8661e80a32f3ccfaf47dd

SHA256
33a447fefe893cbb4c4a110ca9bec237d7df5484087b99046de1cc62ab710a8d

SHA512
bd2293745b623bb208eb93deece8bf4e90e7ea51b644b059c660df5e43cb2a7f0ae23681924b5a972431b4c75c79cadbc08ed87bbcb070130fdad6aab44970ef

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
230B

MD5
75eb6e5e81a601c1ae638f8ba6363afd

SHA1
ce9994435e6626c6a06c190b90f7584bc484b23e

SHA256
b5f7c2cb48341b335c4cedcbaa193f2b360e4b8f447883897d1aed7bd0c1f5d8

SHA512
725960709a4fa510d0b14fe3edcf7d5c6d46ca4c1019d03486c55b46830685644865556c5ebb3a1147130a7d791898868305a55be357f0c122e700b55af1be3e

Download Submit
memory/1884-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1884-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-3-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1884-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2364-2-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2364-0-0x0000000000F20000-0x0000000000FE4000-memory.dmp

Filesize
784KB

Download
memory/2364-32-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/2364-1-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads