remcos | b07b0d5f18622f1892406e84e739e385fa9077592134729637c4b6966c64c1f3

General

Target

63e8483b57ff55e73d7c2c3432bb7f7c.exe
Size

7.9MB
MD5

63e8483b57ff55e73d7c2c3432bb7f7c
SHA1

4a3fa272dab1e89642b3529c5dd5e3457ea03b49
SHA256

b07b0d5f18622f1892406e84e739e385fa9077592134729637c4b6966c64c1f3
SHA512

d75298c3d280ed865a66294f7e87e4ba3cc71e807cd5c2dd1fe535c260259ac5abae89da43998389e2509d080ab3ca448d54a22fa9a6b63d6fcc7e8b2c84db59
SSDEEP

98304:Dz16s9EwkidrwQwPdz9u/ZZmDZJErUXQbZT7wIX02kVmH4:Dz16gBrd3gu/XmDZiU0txrH4

Score

10^/10

remcos caros persistence rat

Malware Config

Extracted

Family

remcos

Botnet

CAROS

C2

sdfvsdjvniwjbdiweb.con-ip.com:1662

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-14RQ6Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\TopicLT = "C:\\Users\\Admin\\Documents\\FocalPoint\\gUpdater.exe"	63e8483b57ff55e73d7c2c3432bb7f7c.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1968	63e8483b57ff55e73d7c2c3432bb7f7c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2548	63e8483b57ff55e73d7c2c3432bb7f7c.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2548	1968	63e8483b57ff55e73d7c2c3432bb7f7c.exe	28
PID 1968 wrote to memory of 2548	1968	63e8483b57ff55e73d7c2c3432bb7f7c.exe	28
PID 1968 wrote to memory of 2548	1968	63e8483b57ff55e73d7c2c3432bb7f7c.exe	28
PID 1968 wrote to memory of 2548	1968	63e8483b57ff55e73d7c2c3432bb7f7c.exe	28
PID 1968 wrote to memory of 2548	1968	63e8483b57ff55e73d7c2c3432bb7f7c.exe	28
PID 1968 wrote to memory of 2548	1968	63e8483b57ff55e73d7c2c3432bb7f7c.exe	28
PID 1968 wrote to memory of 2548	1968	63e8483b57ff55e73d7c2c3432bb7f7c.exe	28
PID 1968 wrote to memory of 2548	1968	63e8483b57ff55e73d7c2c3432bb7f7c.exe	28
PID 1968 wrote to memory of 2548	1968	63e8483b57ff55e73d7c2c3432bb7f7c.exe	28
PID 1968 wrote to memory of 2548	1968	63e8483b57ff55e73d7c2c3432bb7f7c.exe	28

C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe
"C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe
  "C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
3dabae733bd19c123e7f6bd6d3f739ec

SHA1
d597e9b029f9ddfc9913482d0c04c48d078653ae

SHA256
c8aa94c8a22b04efe337670fb6ef43d77497659c547275814131a3dd8408624a

SHA512
e653f1c9b4b26e29eb34d5184898afc13302f9c6227a9b2ed69c7844d4fc1de89d1b99f189d1f358e73f91b366e1da5e0c0fd8795f1a512492dee7d1d08e7442

Download Submit
memory/1968-12-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/1968-0-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/1968-2-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/1968-1-0x0000000000426000-0x0000000000440000-memory.dmp

Filesize
104KB

Download
memory/2548-18-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-23-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-11-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-7-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2548-13-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-14-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-15-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-9-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2548-19-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-22-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-21-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-3-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-25-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-29-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-32-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-33-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-40-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-41-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-48-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-49-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/2548-56-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads