remcos | 867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d

General

Target

867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
Size

1.3MB
MD5

b26007c701f550b1bff5150c37f824f7
SHA1

d91621bf95cf9be7b7b6e941e715f27e0e9f5b07
SHA256

867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d
SHA512

5502a9a1eaee1e172367f678728b17aff5922cc4dc46504dc25151aee4a9234c9c2978fc75baeeed4cc3b604b382afd784cde9a4500d8dc23d9a59f81ab23a32
SSDEEP

24576:oAHnh+eWsN3skA4RV1Hom2KXMmHaYQ3viOWeXvtSHIqS5NV9n5:vh+ZkldoPK8YaYrHIqONVr

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

shgoini.com:30902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7XHN5V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Drops startup file 1 IoCs

Processes:

b.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b.vbs b.exe
Executes dropped EXE 1 IoCs

Processes:

b.exe

pid process

4904 b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b.vbs	b.exe

pid	process
4904	b.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\b.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\b.exe	autoit_exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exeb.exe

pid	process
1492	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
1492	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
4904	b.exe
4904	b.exe
4904	b.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exeb.exe

pid	process
1492	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
1492	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
4904	b.exe
4904	b.exe
4904	b.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe

description	pid	process	target process
PID 1492 wrote to memory of 4904	1492	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe	b.exe
PID 1492 wrote to memory of 4904	1492	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe	b.exe
PID 1492 wrote to memory of 4904	1492	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe	b.exe

C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
"C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\harrowment

Filesize
483KB

MD5
b6abb946c8fafd3c39c65d0018f08292

SHA1
66252a9190a46ec0f39a19c7eb9eff714ebc1f02

SHA256
e70f501e004d971117243365f226ffe8fb691bcc1383be3dd2271df7a8301045

SHA512
d7d1355ae50b1d27fbe939ae10c38fd08343504e5c1b45a28bfc3478ce87fb6bf0009b7434ebdcd521c767d96939f40c7ff54f13e1fa676fdb940adf24bf2b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\selectee

Filesize
29KB

MD5
90a853c50ee02062c0ba5e4df26e55f4

SHA1
e0625192e1c47f4cc6ad0eec8a093705444f968d

SHA256
709d2fcf79f4d1f8646d42916fda954a52ba88bc4b930b0642afb7b991027b21

SHA512
2279913280b84a2e26423fa9bbc4064b6fd21f92ba99fcc9c41e83a869c7af3b1fb55032af3fff3cb9c8eb23bfb73692b6d4a888741c707ca12cad1553c3e525

Download Submit
C:\Users\Admin\AppData\Local\directory\b.exe

Filesize
13.5MB

MD5
2f56cf1ccfd6c9a6e5d4901597956c5c

SHA1
b8515e5bd50d9838612310ff1f9fffef5c323ee3

SHA256
5d825a2c446af71d3349f6c33928b3f749226793278675436934246c5d15bb2d

SHA512
6a8a9044a752e76e58dd4c041b7073714d4a5a1c87cfcf9b58912908ae36b75c656f11ff97f4a94d1c7700881eab913e11039eb89da82a68d0e42c2ea5635389

Download Submit
C:\Users\Admin\AppData\Local\directory\b.exe

Filesize
16.4MB

MD5
c47e01223620a2db13420e4d8c73090c

SHA1
36d7bd6fdd825730cad2763a579171b87e316e28

SHA256
ca03205746ac166a23c330e65ad21d43d0a554c2dcc2e2026dfcab1131a1a8de

SHA512
a93d75d573e80a1c572eef8c89ca82582417b7cebcfdd54e0a093ea234c74ee0ab348ea61b84cafc4ce60afc5aa4a8f9a0d05a979bec82cbdff37cbccd1c2f30

Download Submit
memory/1492-10-0x0000000001790000-0x0000000001794000-memory.dmp

Filesize
16KB

Download
memory/4904-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4904-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads