remcos | da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe
Size

1.4MB
MD5

a1712e55e2076a07b330d6ba6800d11a
SHA1

8bb6d0805934764e982a4f75c5e5be4bd98bf24d
SHA256

da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75
SHA512

0f8bb138441afb7c7bd444d20138d765aae36dd81316d75bf9136e0c78a1a21228ef023b7fa1b40f8eddeded69e3488b4607d22864e170c5fa484e36ccb0ab93
SSDEEP

24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8aSvC55FMWq8DZPB:9TvC/MTQYxsWR7aSvYCmP

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.175.229.139:8087

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TLPQMO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Drops startup file 1 IoCs

Processes:

Laddonia.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs Laddonia.exe
Executes dropped EXE 1 IoCs

Processes:

Laddonia.exe

pid process

4008 Laddonia.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs	Laddonia.exe

pid	process
4008	Laddonia.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe	autoit_exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exeLaddonia.exe

pid	process
4872	da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe
4872	da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe
4008	Laddonia.exe
4008	Laddonia.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exeLaddonia.exe

pid	process
4872	da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe
4872	da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe
4008	Laddonia.exe
4008	Laddonia.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe

description	pid	process	target process
PID 4872 wrote to memory of 4008	4872	da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe	Laddonia.exe
PID 4872 wrote to memory of 4008	4872	da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe	Laddonia.exe
PID 4872 wrote to memory of 4008	4872	da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe	Laddonia.exe

C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe
"C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
"C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
3f72758f80b004d6c99f2c3d4e50d2e8

SHA1
c306ae7a830400f70ff562dac759f4c77097d04d

SHA256
b5fb7fa2f187c851b0198843901d9652a379a27ce183a4a5fa624b8d6a8d7283

SHA512
818fa57ec618ce44296caca947a8ea35d69ec8feee87358831c63a684c12195de252128c9b7f7aa683e1419f7f163f5d2ada6e67988c338bf3cac349d205bd00

Download Submit
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
Filesize
108.4MB

MD5
38f3c76a53fc5c38e864d22114d3681e

SHA1
77cd891a1faa7c61258b51c79e9035ba41d7fa3d

SHA256
54a47c85cc67aebc790c14ba70a96cf668148fb8dbd9b57cbfa87fa02596aa00

SHA512
c2bf831d47ca4b2686dca1155a69246d0193d8db33f4feb5e3099d5c1e92c1d40a42e8ea8f3364496945c2d3344d72752dccd3f3962f7ae48134e0360754447a

Download Submit
C:\Users\Admin\AppData\Local\Temp\acceptancy
Filesize
29KB

MD5
dc89e41ce316d7ceb23763dbcd54ba9a

SHA1
6f26cc5f16de21e427bd003ff38cce2a1784a87d

SHA256
a2762a36dece9e211a90b2a3bded0def88401206f04e895d6cc8947c51ccc36c

SHA512
488fb772a6dde9b48819dc29ba169271d736787631550c8a64f7ba6c9d52e0e4901305f9ef9822c843d4ffab1c0176397bea6e119de1739bc82bb4120e6625e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uncolorable
Filesize
192KB

MD5
3ea15c6ae80a4381148d6d754aa5bef0

SHA1
f7bb1d88b47edd40d1b6b6306c360afe188802ff

SHA256
f49ee0a3104ae84b4f0c02dec84a126c5b9602b55eae52fe9d80efbcf4e6aa7c

SHA512
52124d9f68afd4fb25e6eb7cad03c5ea147e0bbafec84c2ae1c8d7b71142b74399e594ae9a6e5ffb60e741b760f198f05808bb331d6ec977f0ea584cbd829866

Download Submit
memory/4008-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-95-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4872-10-0x00000000027F0000-0x00000000027F4000-memory.dmp

Filesize
16KB

Download