remcos | 587e9211a90e12d553ffb429ef26369d641fd1304e024fa123da728d7fcba623

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PR18213.exe
Size

386KB
MD5

111ec3b664493425244001508fe4da9f
SHA1

50ed10f291611c37cf1cf8fab9d1acd3ebc676a7
SHA256

547a1a1d08381d2103c9ef6bd7f1bb68783a8d788dd7b336ddca3fbad3684f53
SHA512

a5ce5f334220d3752ad12ae83dbada665c9fdcc020f207ab80280b23e95a99b55605e0fd7426881b45a27fdf4f0e5d0b9e0acd1db283b5474fe99f989ed6a7a5
SSDEEP

6144:TgL8GT9VZcXXALLbrcYz0beRXNXSMMlUvE9XypnsFjvj8ldXIR81I+bz:0P7UX6YtClNXSWHdsRbWXIRg

Score

10^/10

remcos december rat

Malware Config

Extracted

Family

remcos

Botnet

december

91.92.243.110:3734

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QGHS48
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1636	884	WerFault.exe	PR18213.exe
2800	884	WerFault.exe	PR18213.exe
4056	884	WerFault.exe	PR18213.exe
3884	884	WerFault.exe	PR18213.exe
3460	884	WerFault.exe	PR18213.exe
732	884	WerFault.exe	PR18213.exe
4232	884	WerFault.exe	PR18213.exe
428	884	WerFault.exe	PR18213.exe
2840	884	WerFault.exe	PR18213.exe
5012	884	WerFault.exe	PR18213.exe
3100	884	WerFault.exe	PR18213.exe
4432	884	WerFault.exe	PR18213.exe
4316	884	WerFault.exe	PR18213.exe
524	884	WerFault.exe	PR18213.exe
2236	884	WerFault.exe	PR18213.exe
736	884	WerFault.exe	PR18213.exe
4040	884	WerFault.exe	PR18213.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PR18213.exe

pid process

884 PR18213.exe

pid	process
884	PR18213.exe

C:\Users\Admin\AppData\Local\Temp\PR18213.exe
"C:\Users\Admin\AppData\Local\Temp\PR18213.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 632
  2⤵
  - Program crash
  PID:1636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 652
  2⤵
  - Program crash
  PID:2800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 720
  2⤵
  - Program crash
  PID:4056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 748
  2⤵
  - Program crash
  PID:3884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 784
  2⤵
  - Program crash
  PID:3460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 788
  2⤵
  - Program crash
  PID:732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 784
  2⤵
  - Program crash
  PID:4232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 740
  2⤵
  - Program crash
  PID:428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 772
  2⤵
  - Program crash
  PID:2840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 768
  2⤵
  - Program crash
  PID:5012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 752
  2⤵
  - Program crash
  PID:3100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 724
  2⤵
  - Program crash
  PID:4432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 816
  2⤵
  - Program crash
  PID:4316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 796
  2⤵
  - Program crash
  PID:524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 836
  2⤵
  - Program crash
  PID:2236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 880
  2⤵
  - Program crash
  PID:736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 868
  2⤵
  - Program crash
  PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 884 -ip 884
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 884 -ip 884
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 884 -ip 884
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 884 -ip 884
1⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 884 -ip 884
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 884 -ip 884
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 884 -ip 884
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 884 -ip 884
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 884 -ip 884
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 884 -ip 884
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 884 -ip 884
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 884 -ip 884
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 884 -ip 884
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 884 -ip 884
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 884 -ip 884
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 884 -ip 884
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 884 -ip 884
1⤵
PID:2100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
511143ffb1483832a82bd275cc1da78a

SHA1
f5156229ddd1bd2586ea3b006a4bbeed2dcb340d

SHA256
09f19364c16eb6ef5375f43e6749acc75423a834b68953f5fac2c7a24254c941

SHA512
0f4b5a1e36ca477836f1594fa248f89e1016bbe6683d0a4eae44e0dddbce2b2b272b05899dd81e317000c001ea17093aae4def75f231816c4a0d78fc38cf9626

Download Submit
memory/884-19-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-47-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-16-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-9-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-11-0x0000000000A20000-0x0000000000A9A000-memory.dmp

Filesize
488KB

Download
memory/884-10-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

Filesize
1024KB

Download
memory/884-2-0x0000000000A20000-0x0000000000A9A000-memory.dmp

Filesize
488KB

Download
memory/884-13-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-6-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-3-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-25-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-23-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-28-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-31-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-35-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-37-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-40-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-43-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/884-1-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

Filesize
1024KB

Download