remcos | c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929

General

Target

tmp.exe
Size

1.3MB
MD5

6b7314e8a04ad8436c3aff06f3918ea6
SHA1

61c5aca05c76396e70054b732d9afb7d4a5e293d
SHA256

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
SHA512

00b5c837c36cb44d5b1a7c724746daf85b4a1d4b89d55a2d81e8999ed34035baa84a8f9fc976704ec92afe52a316c09eb7b7d012d66d8d5eea284d31d5974baf
SSDEEP

24576:LAHnh+eWsN3skA4RV1Hom2KXMmHaUCTOhtduicYukHxavC55:mh+ZkldoPK8YaUC6h/qg

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

shgoini.com:30902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7XHN5V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Drops startup file 1 IoCs

Processes:

excel.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs excel.exe
Executes dropped EXE 1 IoCs

Processes:

excel.exe

pid process

2960 excel.exe
Loads dropped DLL 1 IoCs

Processes:

tmp.exe

pid process

1964 tmp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs	excel.exe

pid	process
2960	excel.exe

pid	process
1964	tmp.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\directory\excel.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

excel.exe

description pid process target process

PID 2960 set thread context of 2552 2960 excel.exe svchost.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

excel.exe

pid process

2960 excel.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

tmp.exeexcel.exe

pid process

1964 tmp.exe
1964 tmp.exe
2960 excel.exe
2960 excel.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

tmp.exeexcel.exe

pid process

1964 tmp.exe
1964 tmp.exe
2960 excel.exe
2960 excel.exe

description	pid	process	target process
PID 2960 set thread context of 2552	2960	excel.exe	svchost.exe

pid	process
2960	excel.exe

pid	process
1964	tmp.exe
1964	tmp.exe
2960	excel.exe
2960	excel.exe

pid	process
1964	tmp.exe
1964	tmp.exe
2960	excel.exe
2960	excel.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.exeexcel.exe

description	pid	process	target process
PID 1964 wrote to memory of 2960	1964	tmp.exe	excel.exe
PID 1964 wrote to memory of 2960	1964	tmp.exe	excel.exe
PID 1964 wrote to memory of 2960	1964	tmp.exe	excel.exe
PID 1964 wrote to memory of 2960	1964	tmp.exe	excel.exe
PID 1964 wrote to memory of 2960	1964	tmp.exe	excel.exe
PID 1964 wrote to memory of 2960	1964	tmp.exe	excel.exe
PID 1964 wrote to memory of 2960	1964	tmp.exe	excel.exe
PID 2960 wrote to memory of 2552	2960	excel.exe	svchost.exe
PID 2960 wrote to memory of 2552	2960	excel.exe	svchost.exe
PID 2960 wrote to memory of 2552	2960	excel.exe	svchost.exe
PID 2960 wrote to memory of 2552	2960	excel.exe	svchost.exe
PID 2960 wrote to memory of 2552	2960	excel.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
PID:2552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Thebit
Filesize
483KB

MD5
a04675531940882479c988422f627c21

SHA1
48bb45a49c1600e8f16ffe612170787f841cd969

SHA256
011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5

SHA512
f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\saccule
Filesize
29KB

MD5
7b4ee3164750a624febb01f867bdb208

SHA1
2c68f3bc9f02ef7229da72935b33053885ad19e0

SHA256
fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5

SHA512
aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41

Download Submit
\Users\Admin\AppData\Local\directory\excel.exe
Filesize
101.3MB

MD5
eea22ca96e4c6cf50dbfa45ba038ca5d

SHA1
f205a1adc28b0b22b64afadd9d6c47da1f765ba7

SHA256
27986689d31cda7612a587a2c78c8d38588a2c1a7fc75b7ec70148f967d5c54f

SHA512
39d9aae6395697ef137c838577153fe85486307b60c0c30fe70814d678b67943e61964f38f6d582157dd6f01d3aa6aebdb9541b78f04157fc1e9e60054812f1a

Download Submit
memory/1964-10-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/2552-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2552-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing