remcos | 669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e

General

Target

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
Size

1.4MB
MD5

8ecf2c490c81dfc195a95d51033f2e55
SHA1

555dcc02731ea5df031260a9f94141a6e8301b17
SHA256

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e
SHA512

8431bd38f923d05db9acbaa4b79ed88a5f5c625bf3df2380c072fad5aa7fbdc714ab08eccb46cda50b1da4117684a05a795bcc51d9629499f637b1a927a3595b
SSDEEP

24576:IqDEvCTbMWu7rQYlBQcBiT6rprG8aDSMUB220ZTSVspjHPYnczgFh8OhdQcK:ITvC/MTQYxsWR7aDSjB2hTSu5WLr8OvT

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

193.222.96.75:8823

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TNRDZX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4964-54-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-56-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-58-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-59-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-64-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-65-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-68-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-71-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-72-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-78-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-79-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-84-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-85-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-90-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4964-92-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 3 IoCs

Processes:

name.exename.exename.exe

pid process

4492 name.exe
1432 name.exe
4964 name.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
4492	name.exe
1432	name.exe
4964	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exename.exename.exename.exe

pid	process
3036	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
3036	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
4492	name.exe
4492	name.exe
1432	name.exe
1432	name.exe
4964	name.exe
4964	name.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exename.exename.exename.exe

pid	process
3036	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
3036	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
4492	name.exe
4492	name.exe
1432	name.exe
1432	name.exe
4964	name.exe
4964	name.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exename.exename.exe

description	pid	process	target process
PID 3036 wrote to memory of 4492	3036	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe	name.exe
PID 3036 wrote to memory of 4492	3036	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe	name.exe
PID 3036 wrote to memory of 4492	3036	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe	name.exe
PID 4492 wrote to memory of 1432	4492	name.exe	name.exe
PID 4492 wrote to memory of 1432	4492	name.exe	name.exe
PID 4492 wrote to memory of 1432	4492	name.exe	name.exe
PID 1432 wrote to memory of 4964	1432	name.exe	name.exe
PID 1432 wrote to memory of 4964	1432	name.exe	name.exe
PID 1432 wrote to memory of 4964	1432	name.exe	name.exe

C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4492

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2392 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8
1⤵
PID:1756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
1ecc8147a5b81d2c55c732d874f48a9d

SHA1
05e48685739e8a473a77e9d6f76df21710ae00da

SHA256
a67574b7030509a544dde3d8d592792f2a28283afff3d617c6ae280a790798ac

SHA512
ca883c65e3d57051c5a380d5fe13197b41e0f23862c946047cac2a374a399d0814ad3ba5fd3392462cfdf03eb5461c59d4a787948251bdc0de37990625e0447e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ageless
Filesize
29KB

MD5
ffa2e5ab3b36f5f9ae74cff2a038c1d4

SHA1
8ed7f9cf5089d8361dac06205f5d4567dd8006f9

SHA256
afb5de202275b56fd3f692015b0ce44536db0db7659d392f9dc94d58da87c8f7

SHA512
4775cfe9550daa79fae22c204b118bffc293059110250456b69b6539594d0d3dbe7dedec6cc53aea1890d88340489a993312f0d887453d3702f8a12c7cbb2492

Download Submit
C:\Users\Admin\AppData\Local\Temp\autAAD6.tmp
Filesize
413KB

MD5
949169beca0db71049f399b967f83788

SHA1
44521a34b25e346477e11b9a3e9263fc155d26d1

SHA256
91242813006c5d4b13829eb58c0fafbd8db223f4e08c2b776a7913e81430d7de

SHA512
1439b96ba9a3641d9bc7c468d696c4ad3b216966bfba099a47ab67f78f0587b55628040afb62fb73b2c2fdccb443c4fb429d02f35c945069a2e348e4500170ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\autAB06.tmp
Filesize
9KB

MD5
c800930f609777b6a62bdfb4e0f6d13c

SHA1
25a5607ea6e7a54390ed56f9132c875f8f03a072

SHA256
7c548d6f2a8da0f0f6f446e3e50b2ee13b797a52322a5f2c603d5e1868655d02

SHA512
038b8820b95566a9e141f80e6cacfad70926b4e325c68ad0fef65f5fcd8d315421fb04465a4066dfc4f529a350c0cdb4f6a91c9fff6e28531ca2036875b4eaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scroll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scroll
Filesize
482KB

MD5
d0d973e17f4f9faff0bd11e10be35a45

SHA1
8f6f95ff9d4d5ec970e1ce58902122bd682d8828

SHA256
bc16cad3c5fcd0da9deb63a3ac44b660c6a979b1be970d526feff7cdae679f52

SHA512
2e34d179a064b44043350b80a44601a5732d5ee79b201ab517af64bd806a535550288f2d13c2e961e4ca58ef63a0009a5073233619f3e912e3643434e0520367

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe
Filesize
106.4MB

MD5
639921a0bfdab9e038d5afb1bbb2152a

SHA1
a0545cc178a48dc3f15cc6bcfe0ffd05579c2133

SHA256
6d95701047fa613eb555545c1241b726bbc06b342a8c37723991cf1196882baf

SHA512
98cc010701f1b8aa2db1d18164302deca1e2d353046510f4d5127b2092986ea05771ee213c57723c3470900cd81d16cfae03f2f2da073cc9a66ab19fa3e3fe5e

Download Submit
memory/3036-10-0x00000000024F0000-0x00000000024F4000-memory.dmp

Filesize
16KB

Download
memory/4964-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4964-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads