remcos | 043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d

General

Target

043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
Size

233KB
MD5

b0e371680c2c465a447d8cb4ad0ffa57
SHA1

b622b7dfb03b70219fe047abd365fe88a4316394
SHA256

043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d
SHA512

b6956d170613bfae4afb1754bf9a2bdcc8ebce5a4e4c2d8052921a929969bf67f8defa8ad6f396fedf45dfd65d70e19bbe2998f49b6f16bb3167b392fb231577
SSDEEP

6144:4mvl3n8iOiB4RBucKa3h80tK2gBWvADGGw6j1:tvlX8i8RB5JvADGGnj

Score

10^/10

remcos chuk rat upx

Malware Config

Extracted

Family

remcos

Botnet

chuk

C2

mexbar.duckdns.org:3119

chukwuonye.duckdns.org:3241

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-S6EIWK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 14 IoCs

resource	yara_rule
behavioral1/memory/1924-3-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-6-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-9-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-12-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-15-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-18-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-21-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-24-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-27-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-30-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-32-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-36-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-39-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-42-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

UPX dump on OEP (original entry point) 15 IoCs

resource	yara_rule
behavioral1/memory/1924-0-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-3-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-6-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-9-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-12-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-15-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-18-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-21-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-24-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-27-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-30-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-32-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-36-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-39-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral1/memory/1924-42-0x0000000000400000-0x000000000048A000-memory.dmp	UPX

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1924-0-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-3-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-6-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-9-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-12-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-15-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-18-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-21-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-24-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-27-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-30-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-32-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-36-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-39-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/1924-42-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1924	043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe

C:\Users\Admin\AppData\Local\Temp\043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
"C:\Users\Admin\AppData\Local\Temp\043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
0fb0c230fedbf52184070033bd20b072

SHA1
1dfa4921757d23c2bd01afe40d7996dc23f4833b

SHA256
f62c1b8d80567acb17b522778a1b99779e96fb0a6eed7a15f9cba1830935c1eb

SHA512
480aed33acc943ec4c48982cf03fa7fa74a7f2bd0a7fcc7723ec1ff0bc44b11dd818af29669f4d2353d253febb22cfa0fbd513ac3f2ca3182a0cc8193d4548c1

Download Submit
memory/1924-21-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-30-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-3-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-9-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-12-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-15-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-6-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-24-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-18-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-27-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-32-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-36-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-39-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1924-42-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing