remcos | b07b0d5f18622f1892406e84e739e385fa9077592134729637c4b6966c64c1f3

General

Target

63e8483b57ff55e73d7c2c3432bb7f7c.exe
Size

7.9MB
MD5

63e8483b57ff55e73d7c2c3432bb7f7c
SHA1

4a3fa272dab1e89642b3529c5dd5e3457ea03b49
SHA256

b07b0d5f18622f1892406e84e739e385fa9077592134729637c4b6966c64c1f3
SHA512

d75298c3d280ed865a66294f7e87e4ba3cc71e807cd5c2dd1fe535c260259ac5abae89da43998389e2509d080ab3ca448d54a22fa9a6b63d6fcc7e8b2c84db59
SSDEEP

98304:Dz16s9EwkidrwQwPdz9u/ZZmDZJErUXQbZT7wIX02kVmH4:Dz16gBrd3gu/XmDZiU0txrH4

Score

10^/10

remcos caros persistence rat

Malware Config

Extracted

Family

remcos

Botnet

CAROS

C2

sdfvsdjvniwjbdiweb.con-ip.com:1662

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-14RQ6Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TopicLT = "C:\\Users\\Admin\\Documents\\FocalPoint\\gUpdater.exe"	63e8483b57ff55e73d7c2c3432bb7f7c.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2060	63e8483b57ff55e73d7c2c3432bb7f7c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4956	63e8483b57ff55e73d7c2c3432bb7f7c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 4956	2060	63e8483b57ff55e73d7c2c3432bb7f7c.exe	92
PID 2060 wrote to memory of 4956	2060	63e8483b57ff55e73d7c2c3432bb7f7c.exe	92
PID 2060 wrote to memory of 4956	2060	63e8483b57ff55e73d7c2c3432bb7f7c.exe	92
PID 2060 wrote to memory of 4956	2060	63e8483b57ff55e73d7c2c3432bb7f7c.exe	92
PID 2060 wrote to memory of 4956	2060	63e8483b57ff55e73d7c2c3432bb7f7c.exe	92
PID 2060 wrote to memory of 4956	2060	63e8483b57ff55e73d7c2c3432bb7f7c.exe	92

C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe
"C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe
  "C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
9c574a67bee1a7e3e9dd2ca72dbdeb16

SHA1
d1e43c7eb88ba4302587f15f0e821f87f2045ade

SHA256
cc2555a17d5c5248f2496661c3e90bf0bdb36e3e5b50ce5416c0e2fe104f014c

SHA512
4b7ce744c4f7e3db3c4e9d1c2cdb8df9db55b6a12d6285ad485d667461b11f184de3e9d26ec21077c9883e054503f3ca53371305519c63ba9dc48ac7358c9454

Download Submit
memory/2060-0-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/2060-1-0x0000000000426000-0x0000000000440000-memory.dmp

Filesize
104KB

Download
memory/2060-2-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/2060-7-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/4956-6-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-18-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-8-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/4956-9-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-12-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-13-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-14-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-15-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-16-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-5-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-3-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/4956-25-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-26-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-33-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-34-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-49-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/4956-50-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads