remcos | 13d86de442fd832c83a9fcdd7e3b25729818cc4d6fc395d015a34d07d8a461f8

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 03:09

Target

bUAZ.exe
Size

92KB
MD5

035964f345b26ce3a0f888ee34ba45df
SHA1

9640bfe76150bfb961de7f14d63f7e35a5ad51b0
SHA256

13d86de442fd832c83a9fcdd7e3b25729818cc4d6fc395d015a34d07d8a461f8
SHA512

ea4fb6ae54573db34689cc7b00b02905c040f891039963d4be4d6c5a14ea1bcff81f6f2b3f7201ed77956f92a1bab2b54291f77401848f1899b926763869bde6
SSDEEP

1536:IhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6vry:OhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+V

Score

10^/10

remcos rat

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

3 0.tcp.sa.ngrok.io
56 0.tcp.sa.ngrok.io
79 0.tcp.sa.ngrok.io
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bUAZ.exe

pid process

208 bUAZ.exe

pid	process
208	bUAZ.exe

C:\Users\Admin\AppData\Local\Temp\bUAZ.exe
"C:\Users\Admin\AppData\Local\Temp\bUAZ.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:208

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance