remcos | 043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d

General

Target

043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
Size

233KB
MD5

b0e371680c2c465a447d8cb4ad0ffa57
SHA1

b622b7dfb03b70219fe047abd365fe88a4316394
SHA256

043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d
SHA512

b6956d170613bfae4afb1754bf9a2bdcc8ebce5a4e4c2d8052921a929969bf67f8defa8ad6f396fedf45dfd65d70e19bbe2998f49b6f16bb3167b392fb231577
SSDEEP

6144:4mvl3n8iOiB4RBucKa3h80tK2gBWvADGGw6j1:tvlX8i8RB5JvADGGnj

Score

10^/10

remcos chuk rat upx

Malware Config

Extracted

Family

remcos

Botnet

chuk

C2

mexbar.duckdns.org:3119

chukwuonye.duckdns.org:3241

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-S6EIWK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 14 IoCs

resource	yara_rule
behavioral2/memory/4048-3-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-6-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-9-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-11-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-15-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-18-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-21-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-23-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-27-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-30-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-32-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-35-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-39-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4048-42-0x0000000000400000-0x000000000048A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

UPX dump on OEP (original entry point) 15 IoCs

resource	yara_rule
behavioral2/memory/4048-0-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-3-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-6-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-9-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-11-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-15-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-18-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-21-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-23-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-27-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-30-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-32-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-35-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-39-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4048-42-0x0000000000400000-0x000000000048A000-memory.dmp	UPX

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4048-0-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-3-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-6-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-9-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-11-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-15-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-18-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-21-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-23-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-27-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-30-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-32-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-35-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-39-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4048-42-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4048	043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe

C:\Users\Admin\AppData\Local\Temp\043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
"C:\Users\Admin\AppData\Local\Temp\043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
270f2c3d96a2e605a9d6252cd4237a1e

SHA1
8a9d67da5cb448e417ac2e389d6d47140ad27058

SHA256
f35270dffc9a0b2141236e8e7615c25c2d16498c1a20775dbeb23d3ee8cb7cd4

SHA512
2cde61498523edc01d8770ec5593fa518e21febb387a7220fe99d8a596aaf27cabc76d21c36a3606d0ed0e336ed08b8073f9ee60b3c4896846426499dd5afa99

Download Submit
memory/4048-21-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-30-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-3-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-9-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-11-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-15-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-6-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-23-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-18-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-27-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-32-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-35-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-39-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4048-42-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing