remcos | 39475882127fd9789d9c23444153a4a4841f3ffbb34ffabb0c540e6e9d76d034

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

913c99449a29c2640d36b0d5fdf69289.exe
Size

1.3MB
MD5

913c99449a29c2640d36b0d5fdf69289
SHA1

858971f52ab45dc8be5f2c43da9b0c25ba398435
SHA256

39475882127fd9789d9c23444153a4a4841f3ffbb34ffabb0c540e6e9d76d034
SHA512

b35a9a28d01a948455da4d078d9f9d1aacb5e9fff5c8359b4278400e29296c75ff96554ae6cc8cd4f53d1db8525d43927c87b793e3fb2e72549d944fd62a6d96
SSDEEP

24576:AP+g7Wy3xfMZKdcKtTjbJ4HEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKKKKKKKKK7:A/iy3g6TjbsEEEEEEEEEEEEEEEEEEEE+

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

wwsaer.duckdns.org:8533

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
notes
mouse_option
false
mutex
Rmc-9VASLD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

913c99449a29c2640d36b0d5fdf69289.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Efftwcmk = "C:\\Users\\Public\\Efftwcmk.url"	913c99449a29c2640d36b0d5fdf69289.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

913c99449a29c2640d36b0d5fdf69289.exe

pid process

5020 913c99449a29c2640d36b0d5fdf69289.exe

pid	process
5020	913c99449a29c2640d36b0d5fdf69289.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

913c99449a29c2640d36b0d5fdf69289.exe

description	pid	process	target process
PID 5020 wrote to memory of 1916	5020	913c99449a29c2640d36b0d5fdf69289.exe	extrac32.exe
PID 5020 wrote to memory of 1916	5020	913c99449a29c2640d36b0d5fdf69289.exe	extrac32.exe
PID 5020 wrote to memory of 1916	5020	913c99449a29c2640d36b0d5fdf69289.exe	extrac32.exe

C:\Users\Admin\AppData\Local\Temp\913c99449a29c2640d36b0d5fdf69289.exe
"C:\Users\Admin\AppData\Local\Temp\913c99449a29c2640d36b0d5fdf69289.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\913c99449a29c2640d36b0d5fdf69289.exe C:\\Users\\Public\\Libraries\\Efftwcmk.PIF
2⤵
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\notes\logs.dat

Filesize
144B

MD5
175b8853c52f0aadbdfa668d8770db2c

SHA1
076845244c59fec224703bc96782c3d85d339848

SHA256
3115a1c07ac9953bd3b4396a34736872f6d99b70f1d928e86e57e2cddb435f6c

SHA512
438f8f84987afca7a63d0d93fb8c2c37155b5b5249c2bcbeada19643f931fff78cafc810a1359e5f89c6fc8a88b43cd68a964e8722cd4a8d08595dee37f0086c

Download Submit
memory/5020-22-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-65-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-21-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-11-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-12-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-13-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-14-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-16-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-10-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-7-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-33-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-1-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/5020-32-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-44-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-43-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-55-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-54-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-66-0x0000000033890000-0x0000000034890000-memory.dmp

Filesize
16.0MB

Download
memory/5020-0-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download