remcos | 48bc32a1d2d84b7c3f61d1839972c2d36b14d3ab30270cad4cbb4d3b04205407

General

Target

MalwareBazaar.exe
Size

1.3MB
MD5

b30be2bc141cfd8968a7a04c9829f9e6
SHA1

b34742a5ccae99ca650eb7b9b15e8e709a5a0e09
SHA256

48bc32a1d2d84b7c3f61d1839972c2d36b14d3ab30270cad4cbb4d3b04205407
SHA512

a272dc996e320df1d7b4f58274ce8ed3e9e94bc0c6eaaab543b6620014f745307ee4e7ba32dcbfca380a9f488f2849ada24bbe5805015b3a6c8afd313bb8432d
SSDEEP

24576:wAHnh+eWsN3skA4RV1Hom2KXMmHamxu8cYi4BzzaYOiNvKGW5:nh+ZkldoPK8YamxBcY3Bfa0Ny3

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

ocservice.duckdns.org:6622

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
evferf
mouse_option
false
mutex
Rmc-5U6QT9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
4212	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a0000000233e3-13.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4212 set thread context of 4620	4212	name.exe	87

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4212	name.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4620	svchost.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4620	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4620	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4212	4280	MalwareBazaar.exe	86
PID 4280 wrote to memory of 4212	4280	MalwareBazaar.exe	86
PID 4280 wrote to memory of 4212	4280	MalwareBazaar.exe	86
PID 4212 wrote to memory of 4620	4212	name.exe	87
PID 4212 wrote to memory of 4620	4212	name.exe	87
PID 4212 wrote to memory of 4620	4212	name.exe	87
PID 4212 wrote to memory of 4620	4212	name.exe	87

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\evferf\logs.dat

Filesize
176B

MD5
6a87d9306dd2482b55649469b022adbb

SHA1
2cbfd1c5c83c956d71f0a39a0b30a0c042a8789f

SHA256
e7047ac4a0b9998e25424d9c870e554f763507eb6292de025916cc10da69bb7d

SHA512
0e8ee9a75334e9cd51477ab678ec7786094a124d3cce82536a09815dbb0a08c7b54e9b7225d5127dce97beacaad5865b115ff69eaa1c0065fa392c215610e1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\kinematical

Filesize
482KB

MD5
4611750a4d69b298355c025d7aeb7cf5

SHA1
99905f76987cf12134fbf438b5debfd1c9ca8246

SHA256
f4f0868a2d0e511c53876af42f76d45e7a5ac39ab2e2acc1c1c4cd23cdb6be35

SHA512
fb9f328fa24f912069ea22c0fa294c1488ae045a6afd6a0afef84f2e0c9b45be4fdaadd5485de1e8bc9efe07d146397e22fabc33fa221ec6c8fffe51f0d98dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sulfhydric

Filesize
28KB

MD5
0161c311aab458362093bff36eda6d6d

SHA1
17399e07cc0f6d5dcbeca80c3eef17c61e20125c

SHA256
65a538c736f7ddc085f2f96d9620942a432132ca87c5fadb7a070ff4a9542567

SHA512
27982f198294b49df1b6c07ebb602da02f6149f8ea37734170ccbd1c62b4df00b94bc6c7456f0c8a3944530bee58788b1ae9e45c4de772309e9151204ba0e45d

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.3MB

MD5
b30be2bc141cfd8968a7a04c9829f9e6

SHA1
b34742a5ccae99ca650eb7b9b15e8e709a5a0e09

SHA256
48bc32a1d2d84b7c3f61d1839972c2d36b14d3ab30270cad4cbb4d3b04205407

SHA512
a272dc996e320df1d7b4f58274ce8ed3e9e94bc0c6eaaab543b6620014f745307ee4e7ba32dcbfca380a9f488f2849ada24bbe5805015b3a6c8afd313bb8432d

Download Submit
memory/4280-10-0x0000000000E30000-0x0000000000E34000-memory.dmp

Filesize
16KB

Download
memory/4620-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4620-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing