remcos | 2c0f066caa7ba44e2f6df2a751d4e3584529938885a3a004e318a8b66193da98

General

Target

MalwareBazaar.exe
Size

878KB
MD5

f59c2ccddb6294bf18fff71a7d16f9c8
SHA1

b32f1a41c1d05eee359e934e3f65e79c654915d5
SHA256

2c0f066caa7ba44e2f6df2a751d4e3584529938885a3a004e318a8b66193da98
SHA512

57a0e3187adae73e5c717a6f0725853153505beb1b02f8688600d3cba3b06047b20cc6fbe73db4afd0735f1c41a32be64495ff7e017e8be4ca828682f7bc50a5
SSDEEP

12288:WQbUDRl8U+i+U7o9l6eZi/0K+GKS8Dk3f1DgteFpLXV:HalWi+U7Ylc/H+A8APRFpLX

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sembe.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
nots.dat
keylog_flag
false
keylog_folder
note
keylog_path
%Temp%
mouse_option
false
mutex
Rmc-999Z97
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 3284	2440	MalwareBazaar.exe	98

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2440	MalwareBazaar.exe
2440	MalwareBazaar.exe
2440	MalwareBazaar.exe
2440	MalwareBazaar.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	MalwareBazaar.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3284	AddInProcess32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 2356	2440	MalwareBazaar.exe	97
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98
PID 2440 wrote to memory of 3284	2440	MalwareBazaar.exe	98

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\note\nots.dat

Filesize
144B

MD5
c2be390b3d6019751d22bd77fc469dfa

SHA1
24d2d9718e719ab95d920cdec325b8f90ebe939f

SHA256
fff48939bd7423ef64afa497a0abbfd42e238a7212d11172aba7479377c54991

SHA512
3e091100280732d8e52fba307259499ae542a9767964107ef0bdd5de43ba79ba5a9a225edd5dd7b5c703d42546d201bc6ad07769c3265b330375d4d4954c156d

Download Submit
memory/2440-8-0x0000000006080000-0x0000000006086000-memory.dmp

Filesize
24KB

Download
memory/2440-10-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/2440-3-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/2440-4-0x0000000009860000-0x0000000009B22000-memory.dmp

Filesize
2.8MB

Download
memory/2440-5-0x000000000F7C0000-0x000000000FD64000-memory.dmp

Filesize
5.6MB

Download
memory/2440-6-0x00000000087C0000-0x0000000008852000-memory.dmp

Filesize
584KB

Download
memory/2440-2-0x0000000005170000-0x000000000520C000-memory.dmp

Filesize
624KB

Download
memory/2440-21-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/2440-7-0x0000000005F90000-0x0000000005F9A000-memory.dmp

Filesize
40KB

Download
memory/2440-9-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/2440-11-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/2440-12-0x0000000005B00000-0x0000000005B1A000-memory.dmp

Filesize
104KB

Download
memory/2440-13-0x0000000005B40000-0x0000000005B46000-memory.dmp

Filesize
24KB

Download
memory/2440-0-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x00000000002B0000-0x0000000000392000-memory.dmp

Filesize
904KB

Download
memory/3284-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3284-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3284-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3284-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3284-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3284-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3284-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3284-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3284-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3284-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3284-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3284-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing