Overview

overview

5

Static

static

3

remcos_RAT_v3.8.0.zip

windows11-21h2-x64

5

remcos_RAT...ro.exe

windows11-21h2-x64

3

remcos_RAT...er.exe

windows11-21h2-x64

5

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/03/2024, 15:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    remcos_RAT_v3.8.0.zip

  • Size

    34.7MB

  • MD5

    1de4439e5a26d159936f009550436bc3

  • SHA1

    9f20c2502a540a4a2d59a16c203498f144fe7f40

  • SHA256

    36f0c6f0ce78b489dbd3d04fec70a71cfd1bdde15b21ead0ba75e26832c82288

  • SHA512

    bed2904598d1f31f42e23e382c12a223aca3e5be5c3b50e04699938c7ccb3ef2b8d8aa94efc0d60971bd0e917bf3a04a8df2d616c4ac32100a97602dd6ee592f

  • SSDEEP

    786432:NdOAayyEaWcxK5Xc6E55iejT4vAxyPolbwPLQTtP5fs8gNor:NdfyEaWcx76EnicwPSwkTtCJor

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Program crash 1 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\remcos_RAT_v3.8.0.zip
    1⤵
      PID:4852
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4524
      • C:\Users\Admin\Documents\remcos_RAT_v3.8.0\remcos_RAT_v3.8.0\Remcos v3.8.0 Pro.exe
        "C:\Users\Admin\Documents\remcos_RAT_v3.8.0\remcos_RAT_v3.8.0\Remcos v3.8.0 Pro.exe"
        1⤵
          PID:2108
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 536
            2⤵
            • Program crash
            PID:4644
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2108 -ip 2108
          1⤵
            PID:2924
          • C:\Users\Admin\Documents\remcos_RAT_v3.8.0\remcos_RAT_v3.8.0\server\RemcosServer.exe
            "C:\Users\Admin\Documents\remcos_RAT_v3.8.0\remcos_RAT_v3.8.0\server\RemcosServer.exe"
            1⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            PID:1908

          Network

                MITRE ATT&CK Matrix

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/1908-3940-0x0000000140000000-0x00000001401A7000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1908-3941-0x0000000140000000-0x00000001401A7000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1908-3942-0x0000000140000000-0x00000001401A7000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1908-3944-0x0000000140000000-0x00000001401A7000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1908-3945-0x0000000140000000-0x00000001401A7000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1908-3946-0x0000000140000000-0x00000001401A7000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/2108-0-0x00000000745E0000-0x0000000074E38000-memory.dmp

                  Filesize

                  8.3MB

                  Download

                • memory/2108-1-0x0000000077600000-0x0000000077852000-memory.dmp

                  Filesize

                  2.3MB

                  Download

                • memory/2108-3939-0x00000000745E0000-0x0000000074E38000-memory.dmp

                  Filesize

                  8.3MB

                  Download