remcos | 004c59e17178ebbc86da08ea93eb39064a86f5d1be7c18d330c15f80dde8504b

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloads/901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe
Size

2.2MB
MD5

6c155f7b7d10fffc7a31ce4eb5d3a1f8
SHA1

f3483275258b30ab963e672656fd9aaebe814877
SHA256

901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4
SHA512

5a1a94c2b63a683a5281b05b998b5b35a215bab2cc47c74f332783a78a5de107f8bb15ca3c006e1672f4ab4918376f09769fa028a172b68a6ded814e4be0ed65
SSDEEP

49152:qb33xSNudSRZpWXd7tOvJOodL1PXdFs0Ki3lZ4/yARne:qoR2t6ld1Ln

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Version

4.9.3 Light

Botnet

RemoteHost

127.0.0.1:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52SPIJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2536	901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2536	901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 2536	4980	901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe	84
PID 4980 wrote to memory of 2536	4980	901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe	84
PID 4980 wrote to memory of 2536	4980	901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe	84
PID 4980 wrote to memory of 2536	4980	901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe	84
PID 4980 wrote to memory of 2536	4980	901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe	84

C:\Users\Admin\AppData\Local\Temp\Downloads\901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads\901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\Downloads\901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe
  "C:\Users\Admin\AppData\Local\Temp\Downloads\901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2536-3-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-6-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-7-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-8-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2536-9-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-10-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-11-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-12-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-13-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-14-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-15-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-16-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-17-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-18-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-19-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-20-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-21-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-22-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-23-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-24-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-25-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-26-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-27-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-28-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-29-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-30-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-31-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-32-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-33-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-34-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-35-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-36-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-37-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-38-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-39-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-40-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-41-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-42-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-43-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-44-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-45-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-46-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-47-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-48-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-49-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-50-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-51-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-52-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-53-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-54-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-55-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-56-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-57-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-58-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-59-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-60-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-61-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-62-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-63-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-64-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-65-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-66-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2536-67-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/4980-0-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/4980-2-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/4980-1-0x0000000000407000-0x0000000000421000-memory.dmp

Filesize
104KB

Download
memory/4980-5-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download