Overview

overview

10

Static

static

5

3c77c4dfca...dd.exe

windows7-x64

7

3c77c4dfca...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 20:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c77c4dfca5e491bdc7c81ce126eac8f335a272439f50d48c743e085b0fb0cdd.exe

  • Size

    968KB

  • MD5

    01ab33911b5f2304c41fb68dd98efddf

  • SHA1

    11233230a98f9fa576395c78f94e68cca908db74

  • SHA256

    3c77c4dfca5e491bdc7c81ce126eac8f335a272439f50d48c743e085b0fb0cdd

  • SHA512

    e0bf353ce93cd902e148ee047e12ac104623ebda6e81ad889fbf8734979fc3a0cbc2c0a40ae155d257f9172e9371d3470910eda24919317548c380db9fcbf69f

  • SSDEEP

    24576:CAHnh+eWsN3skA4RV1Hom2KXMmHaAasbwhgl5p:Fh+ZkldoPK8YaAzp

Score
10/10
remcoshostmemratupx

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

HostMEM

C2

79.134.225.27:4001

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    3

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-EZS8B1

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UPX dump on OEP (original entry point) 6 IoCs
  • detects Windows exceutables potentially bypassing UAC using eventvwr.exe 4 IoCs
  • Drops startup file 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c77c4dfca5e491bdc7c81ce126eac8f335a272439f50d48c743e085b0fb0cdd.exe
    "C:\Users\Admin\AppData\Local\Temp\3c77c4dfca5e491bdc7c81ce126eac8f335a272439f50d48c743e085b0fb0cdd.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Users\Admin\AppData\Local\Temp\3c77c4dfca5e491bdc7c81ce126eac8f335a272439f50d48c743e085b0fb0cdd.exe
      "C:\Users\Admin\AppData\Local\Temp\3c77c4dfca5e491bdc7c81ce126eac8f335a272439f50d48c743e085b0fb0cdd.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\remcos\logs.dat
    Filesize

    79B

    MD5

    c3b6bf483aedec69ebe8b236ca8d87d4

    SHA1

    1d47f098c7d8cbb9a23bf9fd8ddca9937769c9b2

    SHA256

    5b1fbb1b19c84ca50359bf00b72ba9865c08bc3e11ff65c298cc799a99048030

    SHA512

    6729d27f1e8f1e22d41bff2ae795d55dfd35d8852a0adc0a2e9baeedf0c0c284a0cfa1136a66ebdc6448c44edd95404b05f1914534da982e34a89757b78cab91

    Download Submit

  • memory/4764-2-0x0000000001180000-0x0000000001181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5060-0-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/5060-7-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/5060-11-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/5060-13-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/5060-15-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/5060-16-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download