Overview

overview

10

Static

static

10

240802-n97...ed.zip

windows7-x64

1

240802-n97...ed.zip

windows10-2004-x64

1

bfc092b384...af.zip

windows7-x64

1

bfc092b384...af.zip

windows10-2004-x64

1

1/0178b79b...bd.exe

windows7-x64

10

1/0178b79b...bd.exe

windows10-2004-x64

10

1/0280cde4...60.exe

windows7-x64

10

1/0280cde4...60.exe

windows10-2004-x64

10

1/08b76206...65.exe

windows7-x64

10

1/08b76206...65.exe

windows10-2004-x64

10

1/0e4fc438...91.exe

windows7-x64

3

1/0e4fc438...91.exe

windows10-2004-x64

10

1/0fb86a8b...05.exe

windows7-x64

10

1/0fb86a8b...05.exe

windows10-2004-x64

10

1/25898c73...8f.exe

windows7-x64

10

1/25898c73...8f.exe

windows10-2004-x64

10

1/2c2e9491...3c.exe

windows7-x64

3

1/2c2e9491...3c.exe

windows10-2004-x64

10

1/2ef0f582...2e.exe

windows7-x64

3

1/2ef0f582...2e.exe

windows10-2004-x64

10

1/39884fc0...82.exe

windows7-x64

10

1/39884fc0...82.exe

windows10-2004-x64

10

1/3a72ecec...8a.exe

windows7-x64

10

1/3a72ecec...8a.exe

windows10-2004-x64

10

1/3bfcb4f7...71.exe

windows7-x64

10

1/3bfcb4f7...71.exe

windows10-2004-x64

10

1/4103411f...f5.exe

windows7-x64

10

1/4103411f...f5.exe

windows10-2004-x64

10

1/4e0fdb84...95.exe

windows7-x64

3

1/4e0fdb84...95.exe

windows10-2004-x64

7

1/5297372f...33.exe

windows7-x64

5

1/5297372f...33.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2024 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe

  • Size

    1.3MB

  • MD5

    73d006e33d8eda033e684c07b15c53ad

  • SHA1

    e3e0a09b37beee1e19d5a6b9fd5322f906f4493d

  • SHA256

    0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160

  • SHA512

    1b2822a9f568783a6064194c21e4147ffb10c1a0c3ca00f586f3306cf7b5d0bee39af5dad5a78f720d75c09b0b71d44c75d05d9b432b1159915977006e9252db

  • SSDEEP

    24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaKi4Tivd32MUMh9ZzU2Fk1gn5:dh+ZkldoPK8YaKi4mrUUZbk1I

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.64.149:2888

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7Q1GRN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
    "C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2812
      • \??\c:\program files (x86)\internet explorer\iexplore.exe
        "c:\program files (x86)\internet explorer\iexplore.exe"
        3⤵
          PID:312

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/312-16-0x0000000000F40000-0x0000000000F4E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/312-18-0x0000000000F40000-0x0000000000F4E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/312-20-0x0000000000F40000-0x0000000000F4E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/312-15-0x0000000000F40000-0x0000000000F4E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2772-10-0x0000000000C60000-0x0000000000C64000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2812-11-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2812-12-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2812-13-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2812-14-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2812-19-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download