Overview

overview

10

Static

static

5

PO.exe

windows7-x64

10

PO.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 03:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO.exe

  • Size

    1.3MB

  • MD5

    5d15087ab767a84ec8e8805bb26eb8b8

  • SHA1

    01bba4ff864c053b3485b20cb4e60666be7355a7

  • SHA256

    6b509b581157e265d6e3d2bdeed463195464daeafe98b57cea4ef59141d21b62

  • SHA512

    dcc463497cfbe933de85999b6010382b82a449f827621f1f5215a9459696f80172e69019b8d1385d2fc3edfe0543035b73042cbab7d2b860c8e382d8fa9d5805

  • SSDEEP

    24576:ztb20pkaCqT5TBWgNQ7azerXt4yv6uaDWBq74Ws66A:wVg5tQ7azeryYA4OZj5

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.64.152:2559

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZFXG9Y

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\PO.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Users\Admin\AppData\Local\corynteria\Bactris.exe
      "C:\Users\Admin\AppData\Local\Temp\PO.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3432
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\PO.exe"
        3⤵
          PID:756
        • C:\Users\Admin\AppData\Local\corynteria\Bactris.exe
          "C:\Users\Admin\AppData\Local\corynteria\Bactris.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Users\Admin\AppData\Local\corynteria\Bactris.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4396
            • \??\c:\program files (x86)\internet explorer\iexplore.exe
              "c:\program files (x86)\internet explorer\iexplore.exe"
              5⤵
                PID:1388

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\aut9867.tmp
        Filesize

        389KB

        MD5

        dff4656eeb9273bfc7c07abe89b67ce8

        SHA1

        6835c2acbf72ffec1a4445aa6161d11ae0257820

        SHA256

        e3106421fe9b46c09de3ca31bc0856efd2c0efb285d0418324d197cd30eb1a29

        SHA512

        1b1cc1be47324732eb5bf19b05d4d16fef65a78779a1b7621f2a36576ff6d27c9735c0650e3a0ab18bf3e1ac49e76db2b03547628414a564e7b0b1789824653e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\pluffer
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\pluffer
        Filesize

        483KB

        MD5

        10121f879e46a153d8a84858c3d92157

        SHA1

        8a3c78b464ea83838afc43da5eeedef974a1189c

        SHA256

        fcdeaa445e4259175484e0f9305d97c8ab07710807282cb2aeb2deb603a36704

        SHA512

        b21d0e23f0ec329c04d729c664564b9ef491d21b6fbcf0c907e7892c3d5b479dbed25826771bf84210b5964c24bfc9c74e57f29789b05de3db172aec7a101a52

        Download Submit

      • C:\Users\Admin\AppData\Local\corynteria\Bactris.exe
        Filesize

        1.3MB

        MD5

        5d15087ab767a84ec8e8805bb26eb8b8

        SHA1

        01bba4ff864c053b3485b20cb4e60666be7355a7

        SHA256

        6b509b581157e265d6e3d2bdeed463195464daeafe98b57cea4ef59141d21b62

        SHA512

        dcc463497cfbe933de85999b6010382b82a449f827621f1f5215a9459696f80172e69019b8d1385d2fc3edfe0543035b73042cbab7d2b860c8e382d8fa9d5805

        Download Submit

      • memory/1388-34-0x0000000001300000-0x000000000130E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1388-35-0x0000000001300000-0x000000000130E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1388-33-0x0000000001300000-0x000000000130E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2360-28-0x00000000014F0000-0x00000000018F0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3432-18-0x00000000017F0000-0x0000000001BF0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4036-6-0x00000000018C0000-0x0000000001CC0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4396-31-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4396-32-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4396-30-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4396-29-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4396-36-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download