remcos | 9bf4b9429ca440aa066579695a931a819ae710f33f5440242d7a79d3c8f8b708

Analysis

max time kernel
185s
max time network
191s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe
Size

1023.9MB
MD5

8f6822e3ddc2fe21f5bf4d5aa30a21ff
SHA1

02c62792126e18876e0912df1bec54094b4fff18
SHA256

79f75024bec8099437b8c7398725bc2bf09d9d719eaabfd4c0a0cdf5bbad605a
SHA512

86f2c8e34e65f11345f072fd09c0e6bb7f6cd743bdbcd287618df2304eefc2b4a1d9c5e7437cc5d1f18e4b165b0654a1f610d9d4c907ed70ddc91427bae57d52
SSDEEP

12288:BRloMwsJG9hSQvefIwcFw31x87CUXq/ciQ3LrXw9OTA1xmIF0:3lhMiQvefIf9BgtxbF0

Score

10^/10

remcos fosil rat

Malware Config

Extracted

Family

remcos

Botnet

FOSIL

26febrero.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-OP4HOW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2800	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1932	AppLaunch.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 1932	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	28
PID 2840 wrote to memory of 2700	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	29
PID 2840 wrote to memory of 2700	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	29
PID 2840 wrote to memory of 2700	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	29
PID 2840 wrote to memory of 2700	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	29
PID 2840 wrote to memory of 2496	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	31
PID 2840 wrote to memory of 2496	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	31
PID 2840 wrote to memory of 2496	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	31
PID 2840 wrote to memory of 2496	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	31
PID 2496 wrote to memory of 2800	2496	cmd.exe	33
PID 2496 wrote to memory of 2800	2496	cmd.exe	33
PID 2496 wrote to memory of 2800	2496	cmd.exe	33
PID 2496 wrote to memory of 2800	2496	cmd.exe	33
PID 2840 wrote to memory of 2476	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	34
PID 2840 wrote to memory of 2476	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	34
PID 2840 wrote to memory of 2476	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	34
PID 2840 wrote to memory of 2476	2840	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	34

C:\Users\Admin\AppData\Local\Temp\NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe
"C:\Users\Admin\AppData\Local\Temp\NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
0776e4afa730e295e7694c5828103dcd

SHA1
4d6e2735f708cefddbd507528b84bb3c944c9ef6

SHA256
7a2a2447e7a1e7fc2c986030b1a27a4ce7da092c5d832bb4ab6764a7f87ce2e0

SHA512
94d2b3ab1b39c9a0b63262739d153a244ebfcd89873aff26da717a1eebb2f255e97361976e9ce32720199afd39b63b1c7a081a5c6d8a9d26b8c042330da8fcb3

Download Submit
memory/1932-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-3-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-6-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1932-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1932-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2840-1-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-35-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-2-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/2840-0-0x0000000001090000-0x0000000001128000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads