remcos | 867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d

Analysis

max time kernel
148s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
19-03-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
Size

1.3MB
MD5

b26007c701f550b1bff5150c37f824f7
SHA1

d91621bf95cf9be7b7b6e941e715f27e0e9f5b07
SHA256

867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d
SHA512

5502a9a1eaee1e172367f678728b17aff5922cc4dc46504dc25151aee4a9234c9c2978fc75baeeed4cc3b604b382afd784cde9a4500d8dc23d9a59f81ab23a32
SSDEEP

24576:oAHnh+eWsN3skA4RV1Hom2KXMmHaYQ3viOWeXvtSHIqS5NV9n5:vh+ZkldoPK8YaYrHIqONVr

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

shgoini.com:30902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7XHN5V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Drops startup file 1 IoCs

Processes:

b.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b.vbs b.exe
Executes dropped EXE 4 IoCs

Processes:

b.exeb.exeb.exeb.exe

pid process

1056 b.exe
1032 b.exe
4112 b.exe
2712 b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b.vbs	b.exe

pid	process
1056	b.exe
1032	b.exe
4112	b.exe
2712	b.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\b.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\b.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\b.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\b.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\b.exe	autoit_exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exeb.exeb.exeb.exeb.exe

pid	process
3512	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
3512	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
1056	b.exe
1056	b.exe
1032	b.exe
1032	b.exe
1032	b.exe
4112	b.exe
4112	b.exe
4112	b.exe
2712	b.exe
2712	b.exe
2712	b.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exeb.exeb.exeb.exeb.exe

pid	process
3512	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
3512	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
1056	b.exe
1056	b.exe
1032	b.exe
1032	b.exe
1032	b.exe
4112	b.exe
4112	b.exe
4112	b.exe
2712	b.exe
2712	b.exe
2712	b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exeb.exeb.exeb.exe

description	pid	process	target process
PID 3512 wrote to memory of 1056	3512	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe	b.exe
PID 3512 wrote to memory of 1056	3512	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe	b.exe
PID 3512 wrote to memory of 1056	3512	867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe	b.exe
PID 1056 wrote to memory of 1032	1056	b.exe	b.exe
PID 1056 wrote to memory of 1032	1056	b.exe	b.exe
PID 1056 wrote to memory of 1032	1056	b.exe	b.exe
PID 1032 wrote to memory of 4112	1032	b.exe	b.exe
PID 1032 wrote to memory of 4112	1032	b.exe	b.exe
PID 1032 wrote to memory of 4112	1032	b.exe	b.exe
PID 4112 wrote to memory of 2712	4112	b.exe	b.exe
PID 4112 wrote to memory of 2712	4112	b.exe	b.exe
PID 4112 wrote to memory of 2712	4112	b.exe	b.exe

C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
"C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4112

C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autB99B.tmp

Filesize
388KB

MD5
3693bf7b439ce662ad87eff62d63d8bd

SHA1
1a097472889d7e04f22b94b290785281b21d6748

SHA256
408e6a5eca386ec47859acacd9e1f009075f4d640c847f5ec58b126322cfd645

SHA512
e9458fd40250a5ce4507c652f434112e97dd3e7bec821c101e74cf3a0a70dcf0e940d45aae863c2909a4d03d7de72b47f3f43fb26bb73e2fccbe59c21978f79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\autBD65.tmp

Filesize
9KB

MD5
8b8caa1bc13e1fa4add88483fd5b23ef

SHA1
da2e21643cf2eec771f06700c633818944f51722

SHA256
31f4c7fe44b3dd27b08a6e50d9fed38bc1d3abeb690a94d0cb51c25b9a7ad11b

SHA512
7d0e854c5edbc3772f33fdc4ab323d9ed97046904a4b680789e4c640bb1b7d10d6781d4a8e948b16844c3258f34d08051839db33647cc16a990ef25820987cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\harrowment

Filesize
483KB

MD5
b6abb946c8fafd3c39c65d0018f08292

SHA1
66252a9190a46ec0f39a19c7eb9eff714ebc1f02

SHA256
e70f501e004d971117243365f226ffe8fb691bcc1383be3dd2271df7a8301045

SHA512
d7d1355ae50b1d27fbe939ae10c38fd08343504e5c1b45a28bfc3478ce87fb6bf0009b7434ebdcd521c767d96939f40c7ff54f13e1fa676fdb940adf24bf2b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\harrowment

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\selectee

Filesize
29KB

MD5
90a853c50ee02062c0ba5e4df26e55f4

SHA1
e0625192e1c47f4cc6ad0eec8a093705444f968d

SHA256
709d2fcf79f4d1f8646d42916fda954a52ba88bc4b930b0642afb7b991027b21

SHA512
2279913280b84a2e26423fa9bbc4064b6fd21f92ba99fcc9c41e83a869c7af3b1fb55032af3fff3cb9c8eb23bfb73692b6d4a888741c707ca12cad1553c3e525

Download Submit
C:\Users\Admin\AppData\Local\directory\b.exe

Filesize
6.7MB

MD5
a0a567972d030d54abab65ddc7ee04f3

SHA1
bfe208aa79ef78ea3c4bb3d6baf24c414d07b262

SHA256
1ad648ab247fc253e06d9551209ee046b633c322f10aec40ecc1e2aff9307df8

SHA512
a68fe698d318940a5253695295d130f1c8bb4abd539662ac4317dff04903d5756240d7682ec10f2ca5f2f5e497c3b9ae8aacf038bb07934b476fb07cd2415bb4

Download Submit
C:\Users\Admin\AppData\Local\directory\b.exe

Filesize
7.3MB

MD5
c9c7a7bf3bb1750fa41346e9382cccb2

SHA1
e2f0851b3f80a09591ea51e3d718cee10c073827

SHA256
bae63af754ac0f7c4fffd2db612d9846cfda6cdd36f2198a8a760125547ef174

SHA512
244c5959988099d83fd9f7dd671cad85647edf244dbc43049ce26877f21784b3e68397599943a15aaa724fcd943b8abeb58b2b72359acdb0fbcab7fbd8accae4

Download Submit
C:\Users\Admin\AppData\Local\directory\b.exe

Filesize
9.5MB

MD5
23bafe1fee58b81f260c3b4561a16cf3

SHA1
12977b9620f277ee38cffbc04ce3ec11a3e3d7b7

SHA256
c0ac09f86e9a7907d6cd5e81f4183621b1710210067e7fb2cd961ae6e7e207e5

SHA512
7e4bc6b47c940f72ec4b9c5d0adadae1720ad2815228dd7994edabeb36d3e8d599420b8e26fbc21fa74f2665d1a31244b9b62659d19aa797782a0e6f1ffa50b3

Download Submit
C:\Users\Admin\AppData\Local\directory\b.exe

Filesize
7.1MB

MD5
bdd3b189df89856efedbd25728f5f515

SHA1
9be390c53e99920c6317aa4f6cdfb01a08c807c7

SHA256
4eedede16c6b8362313ca008f30a866b9835edc96482e93a17e522d6f63e2910

SHA512
f3a062c9a963642cf31407dcaef107ae7780ca6a6ab8aee10383aca955bdff6a456b2d414e5456bb2bbbd1ec5f30109ff92b260c467094b87b5b26e43775b02f

Download Submit
C:\Users\Admin\AppData\Local\directory\b.exe

Filesize
5.4MB

MD5
efa28a3b5627cdc52b87d2fd759b977e

SHA1
dd62294433bd3bd047e4c8ca191593e3dbc7fa5c

SHA256
10bded38bfe5b794087e80c240c607e69963f58b5cbf6d66a1d17dc6b25a2b66

SHA512
6074e4aa7128cdd9bf24c8c0c41b8c81bf042cbc9bb3481e4e68d0921160020cae109865aa73a4f96a7826c1e036b258087ef27f92d5f30694efc568a8ad0f03

Download Submit
memory/2712-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3512-10-0x0000000002730000-0x0000000002734000-memory.dmp

Filesize
16KB

Download