remcos | 669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e

General

Target

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
Size

1.4MB
MD5

8ecf2c490c81dfc195a95d51033f2e55
SHA1

555dcc02731ea5df031260a9f94141a6e8301b17
SHA256

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e
SHA512

8431bd38f923d05db9acbaa4b79ed88a5f5c625bf3df2380c072fad5aa7fbdc714ab08eccb46cda50b1da4117684a05a795bcc51d9629499f637b1a927a3595b
SSDEEP

24576:IqDEvCTbMWu7rQYlBQcBiT6rprG8aDSMUB220ZTSVspjHPYnczgFh8OhdQcK:ITvC/MTQYxsWR7aDSjB2hTSu5WLr8OvT

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

193.222.96.75:8823

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TNRDZX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 1 IoCs

Processes:

name.exe

pid process

1240 name.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
1240	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exename.exe

pid	process
968	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
968	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
1240	name.exe
1240	name.exe
1240	name.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exename.exe

pid	process
968	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
968	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
1240	name.exe
1240	name.exe
1240	name.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe

description	pid	process	target process
PID 968 wrote to memory of 1240	968	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe	name.exe
PID 968 wrote to memory of 1240	968	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe	name.exe
PID 968 wrote to memory of 1240	968	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe	name.exe

C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
97004072dc603fb8911c18d0d81e1ecc

SHA1
585427098a26e860c9e3fd96f48f6289ed69b49e

SHA256
e0967f2731fdae9e6a101443d526e052b468ebf4e507da7b0a74bedf77d71e72

SHA512
477cc3b8945a92c47d6343e658584ce9c91b149124d8ddb3bf2c0bb57e454ba73b2c0e93e8521227777f1ba1568091c1f9fa1476c91b7d662f16aae02ec1f4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ageless
Filesize
29KB

MD5
ffa2e5ab3b36f5f9ae74cff2a038c1d4

SHA1
8ed7f9cf5089d8361dac06205f5d4567dd8006f9

SHA256
afb5de202275b56fd3f692015b0ce44536db0db7659d392f9dc94d58da87c8f7

SHA512
4775cfe9550daa79fae22c204b118bffc293059110250456b69b6539594d0d3dbe7dedec6cc53aea1890d88340489a993312f0d887453d3702f8a12c7cbb2492

Download Submit
C:\Users\Admin\AppData\Local\Temp\scroll
Filesize
482KB

MD5
d0d973e17f4f9faff0bd11e10be35a45

SHA1
8f6f95ff9d4d5ec970e1ce58902122bd682d8828

SHA256
bc16cad3c5fcd0da9deb63a3ac44b660c6a979b1be970d526feff7cdae679f52

SHA512
2e34d179a064b44043350b80a44601a5732d5ee79b201ab517af64bd806a535550288f2d13c2e961e4ca58ef63a0009a5073233619f3e912e3643434e0520367

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe
Filesize
106.4MB

MD5
6bc085f01b9d2ad107bcd26eb213452f

SHA1
4bd66c0e667e2ae0246ea14ba2820cda4f2a47ea

SHA256
0a02e24506da301d164396cd47cefcea284f886d211d769888e4ca62ee2df9ba

SHA512
43e0b2e92e7e600bf6750919d662deb459851ce3b0aef0b706dc3682052f79e400c13efb782da78dfaeb07078cba968d1cf39befb437a111290cf541e59a7b3c

Download Submit
memory/968-10-0x0000000004050000-0x0000000004054000-memory.dmp

Filesize
16KB

Download
memory/1240-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1240-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads