remcos | 40ef0ea8d499ef74760da82a71c8cf548149e01826b62767c75431cc4cdad67f

General

Target

ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
Size

1.0MB
MD5

ea1c39e72ae5c05ccb6caf2d94db2235
SHA1

3746a3696094d98a4f91103b045b894c38b04d37
SHA256

40ef0ea8d499ef74760da82a71c8cf548149e01826b62767c75431cc4cdad67f
SHA512

c47467c0af42160971b648564868b66d2870658eebfd68388f8b04208788f2ec753f9b3331a78041d68603eec2813c7ace7a624975b80146fda4eb63b8802eb3
SSDEEP

24576:CoR6qg50vgAsnYNaKK5eyDA86LvoCPNjJmG0NmV/4Nz:BsFegDm0eyDXQPTzG

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

RemoteHost

C2

ostriuyer.myddns.me:7116

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.txt
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-MSOKMD
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
2
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

Processes:

ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe

description	pid	process	target process
PID 5276 set thread context of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe

pid process

5276 ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
5276 ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 5276 ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe

pid process

2964 ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe

pid	process
5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe

pid	process
2964	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe

description	pid	process	target process
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
PID 5276 wrote to memory of 2964	5276	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe	ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5276

C:\Users\Admin\AppData\Local\Temp\ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea1c39e72ae5c05ccb6caf2d94db2235_JaffaCakes118.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\remcos\logs.txt
Filesize
148B

MD5
a6b77c4714379725be77edfdd18ab021

SHA1
ffed10f0d68fc3a1890edb57b93008b334437acd

SHA256
0bf157cd06531a8178761f9fb525745fc136f14f984a7322444b4047fed1dd94

SHA512
fa7e1088b77ee80fee14e2f8d9aa359287ac229de6a3bac0660ad10f050fd40b77b1c06645734289c2964c752d957ac579e06dc84a812c4cfbe27ba09ac690dc

Download Submit
memory/2964-13-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2964-28-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2964-22-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2964-21-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2964-19-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2964-17-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2964-16-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2964-14-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5276-5-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/5276-6-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/5276-11-0x0000000009100000-0x00000000091D6000-memory.dmp

Filesize
856KB

Download
memory/5276-12-0x0000000007C50000-0x0000000007CCA000-memory.dmp

Filesize
488KB

Download
memory/5276-9-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/5276-8-0x0000000005360000-0x000000000537A000-memory.dmp

Filesize
104KB

Download
memory/5276-7-0x0000000005090000-0x00000000050E6000-memory.dmp

Filesize
344KB

Download
memory/5276-10-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/5276-20-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/5276-0-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/5276-4-0x0000000004EA0000-0x0000000004F32000-memory.dmp

Filesize
584KB

Download
memory/5276-3-0x00000000053B0000-0x0000000005954000-memory.dmp

Filesize
5.6MB

Download
memory/5276-2-0x0000000004D60000-0x0000000004DFC000-memory.dmp

Filesize
624KB

Download
memory/5276-1-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing