remcos | 04c8c64580324331a7c2c86d8191c20abac992ffc8b81f5b432e6f6bb5974a2c

General

Target

Quotation.exe
Size

1.4MB
MD5

b637de26aa293e2d88beb31e09febd46
SHA1

a800c3b4defa12246ad3d6b9e70f1aa02e2d7623
SHA256

ca52caeb15fde0f171362e3e7771edecc44f2e582cccaa0fedbd6012669076d7
SHA512

c2b8febd7e296aa35b003b5637f911dd17df2303677126d5da97de2341a4aec2ac1b3b2b5bd2bbdf8288d71d1027b4489fd75eb638153754bb50a4820bb8e437
SSDEEP

24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8a61SU+YLo06JKBqM02XjJxn:tTvC/MTQYxsWR7a6gU+OV6JKcM0uj

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

shgoini.com:30902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7XHN5V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Drops startup file 1 IoCs

Processes:

excel.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs excel.exe
Executes dropped EXE 2 IoCs

Processes:

excel.exeexcel.exe

pid process

1776 excel.exe
956 excel.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs	excel.exe

pid	process
1776	excel.exe
956	excel.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\excel.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

excel.exe

description pid process target process

PID 956 set thread context of 440 956 excel.exe svchost.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

excel.exeexcel.exe

pid process

1776 excel.exe
956 excel.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Quotation.exeexcel.exeexcel.exe

pid process

3956 Quotation.exe
3956 Quotation.exe
1776 excel.exe
1776 excel.exe
956 excel.exe
956 excel.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Quotation.exeexcel.exeexcel.exe

pid process

3956 Quotation.exe
3956 Quotation.exe
1776 excel.exe
1776 excel.exe
956 excel.exe
956 excel.exe

description	pid	process	target process
PID 956 set thread context of 440	956	excel.exe	svchost.exe

pid	process
1776	excel.exe
956	excel.exe

pid	process
3956	Quotation.exe
3956	Quotation.exe
1776	excel.exe
1776	excel.exe
956	excel.exe
956	excel.exe

pid	process
3956	Quotation.exe
3956	Quotation.exe
1776	excel.exe
1776	excel.exe
956	excel.exe
956	excel.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Quotation.exeexcel.exeexcel.exe

description	pid	process	target process
PID 3956 wrote to memory of 1776	3956	Quotation.exe	excel.exe
PID 3956 wrote to memory of 1776	3956	Quotation.exe	excel.exe
PID 3956 wrote to memory of 1776	3956	Quotation.exe	excel.exe
PID 1776 wrote to memory of 2468	1776	excel.exe	svchost.exe
PID 1776 wrote to memory of 2468	1776	excel.exe	svchost.exe
PID 1776 wrote to memory of 2468	1776	excel.exe	svchost.exe
PID 1776 wrote to memory of 956	1776	excel.exe	excel.exe
PID 1776 wrote to memory of 956	1776	excel.exe	excel.exe
PID 1776 wrote to memory of 956	1776	excel.exe	excel.exe
PID 956 wrote to memory of 440	956	excel.exe	svchost.exe
PID 956 wrote to memory of 440	956	excel.exe	svchost.exe
PID 956 wrote to memory of 440	956	excel.exe	svchost.exe
PID 956 wrote to memory of 440	956	excel.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
3⤵
PID:2468

C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\directory\excel.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\directory\excel.exe"
4⤵
PID:440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ambiparous

Filesize
483KB

MD5
5836e6fb1198f5826ca8facdba529e79

SHA1
cc17afcef2c435265036b8520728963b91ae652c

SHA256
f59b9e90acdbe2a0cc3e5e66bb3214adb7506fc775b8264e36e408a21decfba0

SHA512
f66d5d9e96911ffe7228d2db7b305ee404ba59d25fcde778d00a590417e3606b72dac0a91b7edb4e5d42f7a5a14990eaf4b5058e16ca5e12b49701c6168e3045

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut820C.tmp

Filesize
418KB

MD5
ee36aa87dc445775e3bb981279766e33

SHA1
77e9cf67e60020f6957e826be88b1fb74c6f8903

SHA256
3e5fc13dccb76f873514e7296fa5f739cc8f49fe46a0f464fe96f0573ea4c625

SHA512
47f76b25b13f8f70cfdc8565a3ecf3569c968776e241e77f075045de7ebb06adb899e9bfe8b9ada1f40bb0b175ba8cf626f1d9862e86a5e293c3229362698ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut823C.tmp

Filesize
9KB

MD5
4b2fdf0a8c6c482408eefdf707f502de

SHA1
4873e42b6576980be696af1540e6e546600d48c2

SHA256
c1812737b6c166b63bc12a406b1227bc536d954bb8d986defed0f7468d73f4af

SHA512
cf4f95e4346886bd29bb87fa21aa3503491d50089e5492719642ea6adc1c5df52f72f20f13512513e7923cd57ed808f26c6e3322f0e7ba6e0e77d65e28af83e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\intersentimental

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\intersentimental

Filesize
29KB

MD5
33b3a37e1729538227a84e8aec307e27

SHA1
d888cf3906a4bc58ccc74cba9fe6f314d3be29dd

SHA256
61616629bc83442de66185fb8a8b3ed37d4fc690d473e28cf570527a5db7d456

SHA512
7d1f025b2c18f6b1e7d1793897a17bc36f95a417d1764efc109144b0ffbb8c0a43ea216cab1e3d16935565bcd309ac8845e9df1805f99a1ac8d1f687ad52ef80

Download Submit
C:\Users\Admin\AppData\Local\directory\excel.exe

Filesize
109.4MB

MD5
0f3d2c4ea88d4642a53ad36dd393141e

SHA1
0a36a0acc8586a5f4e60195b8491da35b73367d3

SHA256
35724ab95db9c562617c22641138f080e8a3d46304b3afa956a21e689f88fc21

SHA512
7a798697fab124bc7ea27933db28d0fe3f04b3a1e1cdba9683eea07ddcd53efaff263176d573473fa5942028b70da67971884645683aefe6800c61e60e1e2035

Download Submit
memory/440-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3956-10-0x0000000003AF0000-0x0000000003AF4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing