remcos | 9bf4b9429ca440aa066579695a931a819ae710f33f5440242d7a79d3c8f8b708

General

Target

NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe
Size

1023.9MB
MD5

8f6822e3ddc2fe21f5bf4d5aa30a21ff
SHA1

02c62792126e18876e0912df1bec54094b4fff18
SHA256

79f75024bec8099437b8c7398725bc2bf09d9d719eaabfd4c0a0cdf5bbad605a
SHA512

86f2c8e34e65f11345f072fd09c0e6bb7f6cd743bdbcd287618df2304eefc2b4a1d9c5e7437cc5d1f18e4b165b0654a1f610d9d4c907ed70ddc91427bae57d52
SSDEEP

12288:BRloMwsJG9hSQvefIwcFw31x87CUXq/ciQ3LrXw9OTA1xmIF0:3lhMiQvefIf9BgtxbF0

Score

10^/10

remcos fosil rat

Malware Config

Extracted

Family

remcos

Botnet

FOSIL

C2

26febrero.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-OP4HOW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2104	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3952	AppLaunch.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3952	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	102
PID 4736 wrote to memory of 3308	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	103
PID 4736 wrote to memory of 3308	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	103
PID 4736 wrote to memory of 3308	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	103
PID 4736 wrote to memory of 4380	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	105
PID 4736 wrote to memory of 4380	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	105
PID 4736 wrote to memory of 4380	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	105
PID 4380 wrote to memory of 2104	4380	cmd.exe	107
PID 4380 wrote to memory of 2104	4380	cmd.exe	107
PID 4380 wrote to memory of 2104	4380	cmd.exe	107
PID 4736 wrote to memory of 3472	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	108
PID 4736 wrote to memory of 3472	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	108
PID 4736 wrote to memory of 3472	4736	NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe	108

C:\Users\Admin\AppData\Local\Temp\NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe
"C:\Users\Admin\AppData\Local\Temp\NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3952
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  PID:3308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\NOTIFICACIÓN AUTO SENTENCIA; RAD-4577239902-2024..exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
9f4389b437c053dde7519a9fbbbb8794

SHA1
b75b6fd1bc632be900c1f4513ecdaeb4a5806189

SHA256
e7c21a0bb2d95f532a546cf76c48be6f8cfe732d5ef04adbd3bfb448e3e89b73

SHA512
ac261a14955ebb7ed3f2b08fdf58af3fa42ea45b78dae921c2b1a3be923792b6ee83fdd9f35e296940ce21d297cb31d2faa874e4e14dc25e363d4dd6bbe2bdb1

Download Submit
memory/3952-6-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3952-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4736-1-0x00000000007E0000-0x0000000000878000-memory.dmp

Filesize
608KB

Download
memory/4736-2-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/4736-16-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-0-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-3-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads