remcos | c56c00ca3f42026f17affef76b3752f268d1498f862b3143985ca7c1d33feb39

Resubmissions

21/01/2025, 13:35

250121-qvptgawqbk 10

21/01/2025, 11:58

21/01/2025, 11:44

21/01/2025, 11:07

17/07/2024, 20:08

Analysis

max time kernel
59s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
17/07/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe
Size

1.9MB
MD5

0475d0b51b30bf28599601243c9a9aae
SHA1

7adf31fb8aaa01d94531f9e058e33877e0141ccf
SHA256

3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e
SHA512

92167276fc1688239f252a7101c2082ce6cd1f65f30de3b9b33a22d2fcd58a542faecf308d67c719756b4b504247c1588d159120439d1d2ef1a47612575192d6
SSDEEP

24576:7DseOujx71gWufN62I520/hjlB6iTzKFjiZpWFsZrKp0HqGmyejFykKu9XusD4eq:7DjxSNudSOZpW+wG8nXv0eq

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Version

4.9.3 Light

Botnet

RemoteHost

127.0.0.1:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52SPIJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2936	3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2936	3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2936	1196	3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe	83
PID 1196 wrote to memory of 2936	1196	3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe	83
PID 1196 wrote to memory of 2936	1196	3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe	83
PID 1196 wrote to memory of 2936	1196	3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe	83
PID 1196 wrote to memory of 2936	1196	3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe	83

C:\Users\Admin\AppData\Local\Temp\3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe
"C:\Users\Admin\AppData\Local\Temp\3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe
  "C:\Users\Admin\AppData\Local\Temp\3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-5-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1196-0-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1196-3-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1196-1-0x0000000000407000-0x0000000000421000-memory.dmp

Filesize
104KB

Download
memory/1196-7-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/1196-2-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2936-22-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-25-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-4-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-9-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2936-11-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-10-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-12-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-13-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-14-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-15-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-16-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-17-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-18-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-19-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-20-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-21-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-6-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-23-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-24-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-8-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-26-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-27-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-28-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-29-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-30-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-31-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-32-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-33-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-34-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-35-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-36-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-37-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-38-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-39-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-40-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-41-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-42-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/2936-43-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download