remcos | e51b22d7a34f2b2b6e7ede4b3c25a3ef0d302672d2b309c9305cfc2bfdbbee79

General

Target

PR18213.exe
Size

386KB
MD5

111ec3b664493425244001508fe4da9f
SHA1

50ed10f291611c37cf1cf8fab9d1acd3ebc676a7
SHA256

547a1a1d08381d2103c9ef6bd7f1bb68783a8d788dd7b336ddca3fbad3684f53
SHA512

a5ce5f334220d3752ad12ae83dbada665c9fdcc020f207ab80280b23e95a99b55605e0fd7426881b45a27fdf4f0e5d0b9e0acd1db283b5474fe99f989ed6a7a5
SSDEEP

6144:TgL8GT9VZcXXALLbrcYz0beRXNXSMMlUvE9XypnsFjvj8ldXIR81I+bz:0P7UX6YtClNXSWHdsRbWXIRg

Score

10^/10

remcos december rat

Malware Config

Extracted

Family

remcos

Botnet

december

C2

91.92.243.110:3734

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QGHS48
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1812-1-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-4-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-5-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-7-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-12-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-15-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-18-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-21-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-24-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-27-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-30-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-33-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-36-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-39-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-42-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1812-45-0x0000000000400000-0x0000000000882000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3280	1812	WerFault.exe	PR18213.exe
4696	1812	WerFault.exe	PR18213.exe
4460	1812	WerFault.exe	PR18213.exe
3416	1812	WerFault.exe	PR18213.exe
2372	1812	WerFault.exe	PR18213.exe
408	1812	WerFault.exe	PR18213.exe
4460	1812	WerFault.exe	PR18213.exe
788	1812	WerFault.exe	PR18213.exe
1668	1812	WerFault.exe	PR18213.exe
5032	1812	WerFault.exe	PR18213.exe
1116	1812	WerFault.exe	PR18213.exe
2424	1812	WerFault.exe	PR18213.exe
4492	1812	WerFault.exe	PR18213.exe
4348	1812	WerFault.exe	PR18213.exe
460	1812	WerFault.exe	PR18213.exe
4356	1812	WerFault.exe	PR18213.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PR18213.exe

pid process

1812 PR18213.exe

pid	process
1812	PR18213.exe

C:\Users\Admin\AppData\Local\Temp\PR18213.exe
"C:\Users\Admin\AppData\Local\Temp\PR18213.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 668
2⤵
- Program crash
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 716
2⤵
- Program crash
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 760
2⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 780
2⤵
- Program crash
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 788
2⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 676
2⤵
- Program crash
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 744
2⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 672
2⤵
- Program crash
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 732
2⤵
- Program crash
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 780
2⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 836
2⤵
- Program crash
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 744
2⤵
- Program crash
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 836
2⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 820
2⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 744
2⤵
- Program crash
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 816
2⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1812 -ip 1812
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1812 -ip 1812
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1812 -ip 1812
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1812 -ip 1812
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1812 -ip 1812
1⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3472 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:8
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1812 -ip 1812
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1812 -ip 1812
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1812 -ip 1812
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1812 -ip 1812
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1812 -ip 1812
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1812 -ip 1812
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1812 -ip 1812
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1812 -ip 1812
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1812 -ip 1812
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1812 -ip 1812
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1812 -ip 1812
1⤵
PID:4936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
cc3d17d63f54a33cbdcd7513543e258c

SHA1
930a46a77d40a0fc13fc760e772fef31d5b958d5

SHA256
16692ea162f3afae1a15ae07d6cd422dff50bd037553e1926d5416aedf552f1f

SHA512
67f445957f3cac8e32a0d54f08da3aa4d1372712f43fb97992e74bff832af47a0e7b24a0d00a1dfc5d2aca6d1251aa832d69f597a08991b82b816c1184dd7c0f

Download Submit
memory/1812-15-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-39-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-4-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-5-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-7-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-8-0x0000000000B80000-0x0000000000C80000-memory.dmp

Filesize
1024KB

Download
memory/1812-9-0x0000000002620000-0x000000000269A000-memory.dmp

Filesize
488KB

Download
memory/1812-18-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-45-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-3-0x0000000002620000-0x000000000269A000-memory.dmp

Filesize
488KB

Download
memory/1812-12-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-21-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-24-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-27-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-30-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-33-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-36-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-1-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-42-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1812-2-0x0000000000B80000-0x0000000000C80000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing