remcos | c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929

General

Target

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe
Size

1.3MB
MD5

6b7314e8a04ad8436c3aff06f3918ea6
SHA1

61c5aca05c76396e70054b732d9afb7d4a5e293d
SHA256

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
SHA512

00b5c837c36cb44d5b1a7c724746daf85b4a1d4b89d55a2d81e8999ed34035baa84a8f9fc976704ec92afe52a316c09eb7b7d012d66d8d5eea284d31d5974baf
SSDEEP

24576:LAHnh+eWsN3skA4RV1Hom2KXMmHaUCTOhtduicYukHxavC55:mh+ZkldoPK8YaUC6h/qg

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

shgoini.com:30902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7XHN5V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Drops startup file 1 IoCs

Processes:

excel.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs excel.exe
Executes dropped EXE 1 IoCs

Processes:

excel.exe

pid process

1948 excel.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs	excel.exe

pid	process
1948	excel.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\excel.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

excel.exe

description pid process target process

PID 1948 set thread context of 2732 1948 excel.exe svchost.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

excel.exe

pid process

1948 excel.exe

description	pid	process	target process
PID 1948 set thread context of 2732	1948	excel.exe	svchost.exe

pid	process
1948	excel.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exeexcel.exe

pid	process
2276	c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe
2276	c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe
1948	excel.exe
1948	excel.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exeexcel.exe

pid	process
2276	c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe
2276	c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe
1948	excel.exe
1948	excel.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exeexcel.exe

description	pid	process	target process
PID 2276 wrote to memory of 1948	2276	c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe	excel.exe
PID 2276 wrote to memory of 1948	2276	c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe	excel.exe
PID 2276 wrote to memory of 1948	2276	c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe	excel.exe
PID 1948 wrote to memory of 2732	1948	excel.exe	svchost.exe
PID 1948 wrote to memory of 2732	1948	excel.exe	svchost.exe
PID 1948 wrote to memory of 2732	1948	excel.exe	svchost.exe
PID 1948 wrote to memory of 2732	1948	excel.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe
"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\directory\excel.exe
  "C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"
    3⤵
    PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Thebit

Filesize
483KB

MD5
a04675531940882479c988422f627c21

SHA1
48bb45a49c1600e8f16ffe612170787f841cd969

SHA256
011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5

SHA512
f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\saccule

Filesize
29KB

MD5
7b4ee3164750a624febb01f867bdb208

SHA1
2c68f3bc9f02ef7229da72935b33053885ad19e0

SHA256
fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5

SHA512
aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41

Download Submit
C:\Users\Admin\AppData\Local\directory\excel.exe

Filesize
107.3MB

MD5
6e785bef0bc6d9d27b632a95c167f95e

SHA1
be154cc572ba9fcc5e9d562106172e63ce49ef8c

SHA256
8e572214b3f185499a292d3b0720b4641a2f519195703d5462c64682decd4e96

SHA512
7f13e223683b5aad76f8c337f8b5c9ee24666384b82077af03ece6c04b6d4a8a3879b5ce9ee5d4d4724cb9f27a2144a39f086b00114b7df11bd4b2b0dab21940

Download Submit
memory/2276-10-0x00000000027B0000-0x00000000027B4000-memory.dmp

Filesize
16KB

Download
memory/2732-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads