remcos | c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929

General

Target

wininit (1).exe
Size

1.3MB
MD5

6b7314e8a04ad8436c3aff06f3918ea6
SHA1

61c5aca05c76396e70054b732d9afb7d4a5e293d
SHA256

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
SHA512

00b5c837c36cb44d5b1a7c724746daf85b4a1d4b89d55a2d81e8999ed34035baa84a8f9fc976704ec92afe52a316c09eb7b7d012d66d8d5eea284d31d5974baf
SSDEEP

24576:LAHnh+eWsN3skA4RV1Hom2KXMmHaUCTOhtduicYukHxavC55:mh+ZkldoPK8YaUC6h/qg

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

shgoini.com:30902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7XHN5V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Drops startup file 1 IoCs

Processes:

excel.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs excel.exe
Executes dropped EXE 1 IoCs

Processes:

excel.exe

pid process

4604 excel.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs	excel.exe

pid	process
4604	excel.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\excel.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

excel.exe

description pid process target process

PID 4604 set thread context of 4328 4604 excel.exe svchost.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

excel.exe

pid process

4604 excel.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

wininit (1).exeexcel.exe

pid process

2552 wininit (1).exe
2552 wininit (1).exe
4604 excel.exe
4604 excel.exe
4604 excel.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

wininit (1).exeexcel.exe

pid process

2552 wininit (1).exe
2552 wininit (1).exe
4604 excel.exe
4604 excel.exe
4604 excel.exe

description	pid	process	target process
PID 4604 set thread context of 4328	4604	excel.exe	svchost.exe

pid	process
4604	excel.exe

pid	process
2552	wininit (1).exe
2552	wininit (1).exe
4604	excel.exe
4604	excel.exe
4604	excel.exe

pid	process
2552	wininit (1).exe
2552	wininit (1).exe
4604	excel.exe
4604	excel.exe
4604	excel.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

wininit (1).exeexcel.exe

description	pid	process	target process
PID 2552 wrote to memory of 4604	2552	wininit (1).exe	excel.exe
PID 2552 wrote to memory of 4604	2552	wininit (1).exe	excel.exe
PID 2552 wrote to memory of 4604	2552	wininit (1).exe	excel.exe
PID 4604 wrote to memory of 4328	4604	excel.exe	svchost.exe
PID 4604 wrote to memory of 4328	4604	excel.exe	svchost.exe
PID 4604 wrote to memory of 4328	4604	excel.exe	svchost.exe
PID 4604 wrote to memory of 4328	4604	excel.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\wininit (1).exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
3⤵
PID:4328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Thebit

Filesize
483KB

MD5
a04675531940882479c988422f627c21

SHA1
48bb45a49c1600e8f16ffe612170787f841cd969

SHA256
011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5

SHA512
f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\saccule

Filesize
29KB

MD5
7b4ee3164750a624febb01f867bdb208

SHA1
2c68f3bc9f02ef7229da72935b33053885ad19e0

SHA256
fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5

SHA512
aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41

Download Submit
C:\Users\Admin\AppData\Local\directory\excel.exe

Filesize
106.3MB

MD5
4f23f15830d3ba36d13baa6053263f6f

SHA1
4cc35ff93e851df631832ebdf202a77966c40edf

SHA256
6e5c4aad20824647559b2c511bed4f123a4e982978394dc75b544e5ec94cc269

SHA512
4a0549c6e2cc72cd7fbe38dae2110bca0e8a39be17b4adafb2418386e757a5626ef1aae6a4a07f22b92ba9f977fa2b180f5283957399802dfacb9ec36c7eb5db

Download Submit
memory/2552-10-0x0000000001050000-0x0000000001054000-memory.dmp

Filesize
16KB

Download
memory/4328-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4328-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing