remcos | b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601

General

Target

b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe
Size

1.3MB
MD5

005a7ca88eafea446db3ce376d33354f
SHA1

5041ecbc5713db1de2284a93981322c9d108b817
SHA256

b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601
SHA512

ad3c38f180c1e19d18507906f53c8127536065dda26b6db423299275630c90d433daba6530d8323af6e1aeffb8a610ba9ebe762e5931ab7d240d08c39eb3ddca
SSDEEP

24576:6AHnh+eWsN3skA4RV1Hom2KXMmHazWtL2kDMQop1/4KvU5st4SQsAUcr34/5:Nh+ZkldoPK8YazQsp+sUaxQ5Uj

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.175.229.139:8823

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2BGC0K
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 29 IoCs

resource	yara_rule
behavioral1/memory/2848-30-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-32-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-33-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-37-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-38-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-34-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-43-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-44-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-45-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-50-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-51-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-52-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-53-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-55-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-56-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-58-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-59-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-62-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-67-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-68-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-70-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-71-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-73-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-72-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-77-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-81-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-82-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-90-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2848-89-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs	toggeries.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	toggeries.exe

Loads dropped DLL 1 IoCs

pid	Process
1704	b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000015c68-12.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2652 set thread context of 2848	2652	toggeries.exe	29

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2652	toggeries.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1704	b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe
1704	b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe
2652	toggeries.exe
2652	toggeries.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1704	b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe
1704	b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe
2652	toggeries.exe
2652	toggeries.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2848	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2652	1704	b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe	28
PID 1704 wrote to memory of 2652	1704	b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe	28
PID 1704 wrote to memory of 2652	1704	b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe	28
PID 1704 wrote to memory of 2652	1704	b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe	28
PID 2652 wrote to memory of 2848	2652	toggeries.exe	29
PID 2652 wrote to memory of 2848	2652	toggeries.exe	29
PID 2652 wrote to memory of 2848	2652	toggeries.exe	29
PID 2652 wrote to memory of 2848	2652	toggeries.exe	29
PID 2652 wrote to memory of 2848	2652	toggeries.exe	29

C:\Users\Admin\AppData\Local\Temp\b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe
"C:\Users\Admin\AppData\Local\Temp\b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\differences\toggeries.exe
  "C:\Users\Admin\AppData\Local\Temp\b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
44aa83d14a57e5afa38b09f86c0e8b34

SHA1
dee4fbce0f725d3dd598adb471a851e3efec02ad

SHA256
f7e718e98f5536e7627a0e1bc88df7b9650d65a72aeb776677b95f5c6c2bc51e

SHA512
947015d3bcaa4d43630abcc8d8ceed324afd9d739849a8cb4615812cba2f22309495e00517b014760928cd132b4b86e94d3ee2f748e756ecf35a2b100c278453

Download Submit
C:\Users\Admin\AppData\Local\Temp\Countee

Filesize
28KB

MD5
8f3e02aced0e9b99c5db94a3ffcd097c

SHA1
4b1c3fcba0503cbb6eef7f046ae5eb2378ff64c4

SHA256
9e6ffc65257b9baceae2d37f7c976e8240658395d2d2083eb2a69488940dd442

SHA512
a517adb79c8f7dff88a75bebf0141760013b5ac6c490c7fefe62d9412216174794e9a68febf6889f032f050b870bedee33e6a2ffb497a5658aa3df48ee38a799

Download Submit
\Users\Admin\AppData\Local\differences\toggeries.exe

Filesize
1.3MB

MD5
005a7ca88eafea446db3ce376d33354f

SHA1
5041ecbc5713db1de2284a93981322c9d108b817

SHA256
b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601

SHA512
ad3c38f180c1e19d18507906f53c8127536065dda26b6db423299275630c90d433daba6530d8323af6e1aeffb8a610ba9ebe762e5931ab7d240d08c39eb3ddca

Download Submit
memory/1704-10-0x0000000000160000-0x0000000000164000-memory.dmp

Filesize
16KB

Download
memory/2848-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing