Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
-
submitted
10-04-2024 03:05
General
-
Target
c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe
-
Size
1.3MB
-
MD5
6b7314e8a04ad8436c3aff06f3918ea6
-
SHA1
61c5aca05c76396e70054b732d9afb7d4a5e293d
-
SHA256
c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
-
SHA512
00b5c837c36cb44d5b1a7c724746daf85b4a1d4b89d55a2d81e8999ed34035baa84a8f9fc976704ec92afe52a316c09eb7b7d012d66d8d5eea284d31d5974baf
-
SSDEEP
24576:LAHnh+eWsN3skA4RV1Hom2KXMmHaUCTOhtduicYukHxavC55:mh+ZkldoPK8YaUC6h/qg
Malware Config
Extracted
remcos
RemoteHost
shgoini.com:30902
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7XHN5V
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 18 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\directory\excel.exe"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
483KB
MD5a04675531940882479c988422f627c21
SHA148bb45a49c1600e8f16ffe612170787f841cd969
SHA256011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5
SHA512f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c
-
Filesize
29KB
MD57b4ee3164750a624febb01f867bdb208
SHA12c68f3bc9f02ef7229da72935b33053885ad19e0
SHA256fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5
SHA512aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41
-
Filesize
101.3MB
MD5969e7125ce8c552f9d7899df54b54336
SHA19596f483d654b10af236c4d0968049600a8b9d55
SHA256f9c8d0f80cefe182b3f56d1fbb45226cb61aef3c47f664bee2016c90259f6e4b
SHA5126b16cd04346062176356199c10c4d55f2323d64e79b835e477e6a060bfe9210dd8981e9debc6e9232301effb65c09d07dd6997bb8e325eb70c44dc5c0c207c91
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
16KB