Overview

overview

10

Static

static

10

6f31f28d71...17.exe

windows7-x64

10

6f31f28d71...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2024, 02:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817.exe

  • Size

    528KB

  • MD5

    2562ad2e3b7633531bafa6737c6c245b

  • SHA1

    ae4f5f50f98ba3aa77f891ae6a691869e51dc7e5

  • SHA256

    6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817

  • SHA512

    6147bbf148bef4b87845cf09e7c95397ec5a13674ee4454444bdb582cc397ce58315176498f46cf6ca184d5b953fcd709b62cde8b84a0cfedc6289cdee9d7fea

  • SSDEEP

    12288:bvu8+/mPTjv4dvLLy6gLPTznyl8PzBJZdR2hhTpjKsPLPPPPPPSPPP:K8++PT7EvXy6gLPfu87BGRVPLPPPPPPK

Score
10/10
remcosrrrrrrrrrat

Malware Config

Extracted

Family

remcos

Botnet

RRRRRRRR

C2

busbuctomorrrw.ddns.net:6609

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-QLGWW3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 42 IoCs
  • Detects executables packed with SmartAssembly 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817.exe
    "C:\Users\Admin\AppData\Local\Temp\6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:2468
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Local\Temp\Phots"
        2⤵
          PID:2588
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2528
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:1900
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817.exe" "C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe"
          2⤵
            PID:2688
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {26AC71DF-D8A7-4E8B-8F20-5BBA2ECB3FA2} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe
            C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2360
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              3⤵
                PID:948
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c mkdir "C:\Users\Admin\AppData\Local\Temp\Phots"
                3⤵
                  PID:812
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe'" /f
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2140
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe'" /f
                    4⤵
                    • Creates scheduled task(s)
                    PID:1812
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe" "C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe"
                  3⤵
                    PID:1800
                • C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe
                  C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:2028
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                    3⤵
                      PID:1268
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd" /c mkdir "C:\Users\Admin\AppData\Local\Temp\Phots"
                      3⤵
                        PID:1144
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe'" /f
                        3⤵
                          PID:528
                          • C:\Windows\SysWOW64\schtasks.exe
                            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe'" /f
                            4⤵
                            • Creates scheduled task(s)
                            PID:1244
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe" "C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe"
                          3⤵
                            PID:1248

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe
                              Filesize

                              318KB

                              MD5

                              2ebbebd404ff16674b46018239faab62

                              SHA1

                              70be47b4bfda6533ab12415fd377119df35481e3

                              SHA256

                              fa3994194819d3047931d7bdb1d2cc2071ee8ca85dd4c672e61321bbf9d96960

                              SHA512

                              4d2a7b50e6afe96d84781bbd06a16f5dfcf4653e5fc5b8986a2c0294602ab6ea7b287f94817f802b77c3c7932b93d40b61fa3462b665da2588a1cddf1039e60c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\Phots\Phots.exe
                              Filesize

                              528KB

                              MD5

                              2562ad2e3b7633531bafa6737c6c245b

                              SHA1

                              ae4f5f50f98ba3aa77f891ae6a691869e51dc7e5

                              SHA256

                              6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817

                              SHA512

                              6147bbf148bef4b87845cf09e7c95397ec5a13674ee4454444bdb582cc397ce58315176498f46cf6ca184d5b953fcd709b62cde8b84a0cfedc6289cdee9d7fea

                              Download Submit

                            • memory/948-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/948-54-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2028-103-0x0000000074A90000-0x000000007517E000-memory.dmp

                              Filesize

                              6.9MB

                              Download

                            • memory/2028-80-0x0000000004780000-0x00000000047C0000-memory.dmp

                              Filesize

                              256KB

                              Download

                            • memory/2028-79-0x0000000000BE0000-0x0000000000C68000-memory.dmp

                              Filesize

                              544KB

                              Download

                            • memory/2028-78-0x0000000074A90000-0x000000007517E000-memory.dmp

                              Filesize

                              6.9MB

                              Download

                            • memory/2360-53-0x0000000074AE0000-0x00000000751CE000-memory.dmp

                              Filesize

                              6.9MB

                              Download

                            • memory/2360-37-0x0000000004530000-0x0000000004570000-memory.dmp

                              Filesize

                              256KB

                              Download

                            • memory/2360-35-0x0000000074AE0000-0x00000000751CE000-memory.dmp

                              Filesize

                              6.9MB

                              Download

                            • memory/2360-34-0x0000000000BE0000-0x0000000000C68000-memory.dmp

                              Filesize

                              544KB

                              Download

                            • memory/2456-2-0x0000000000550000-0x0000000000590000-memory.dmp

                              Filesize

                              256KB

                              Download

                            • memory/2456-1-0x0000000074B20000-0x000000007520E000-memory.dmp

                              Filesize

                              6.9MB

                              Download

                            • memory/2456-0-0x0000000000A20000-0x0000000000AA8000-memory.dmp

                              Filesize

                              544KB

                              Download

                            • memory/2456-20-0x0000000074B20000-0x000000007520E000-memory.dmp

                              Filesize

                              6.9MB

                              Download

                            • memory/2468-17-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-59-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-23-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-24-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-25-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-26-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-27-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-28-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-29-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-30-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-31-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-21-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-16-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-14-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2468-12-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-11-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-10-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-8-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-55-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-56-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-57-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-58-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-22-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-60-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-61-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-62-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-63-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-64-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-65-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-66-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-67-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-68-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-69-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-70-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-71-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-72-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-73-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-74-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-75-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-76-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-9-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-5-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-6-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download

                            • memory/2468-3-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                              Download