remcos | 510da872b991223204159a3a2db2c354990961a1131090fde23d9fde8c18c245

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe
Size

1.4MB
MD5

27b2117dd7b51a94fabfa5b69f8e24cd
SHA1

75ae30e656f11222f42e4343c18b8651b5e091f2
SHA256

510da872b991223204159a3a2db2c354990961a1131090fde23d9fde8c18c245
SHA512

542524baf4d912f962c40dd3e873052cad2f2dda34bc8e3eb5a7561487a07abc1f1da87db5f239d65f9f7fa50845fba16639d85f0e5cddca0d35edee0bbec258
SSDEEP

24576:hAHnh+eWsN3skA4RV1Hom2KXMmHa3syoNcW9e4Lzt8kZ31p5:4h+ZkldoPK8Ya3+9v8kZ39

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:44999

127.0.0.1:54991

africarem.duckdns.org:54991

africarem.duckdns.org:44999

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KK3NDA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 3 IoCs

pid	Process
2620	name.exe
4372	name.exe
2736	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023cb3-13.dat	autoit_exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3620	510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe
3620	510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe
2620	name.exe
2620	name.exe
4372	name.exe
4372	name.exe
2736	name.exe
2736	name.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3620	510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe
3620	510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe
2620	name.exe
2620	name.exe
4372	name.exe
4372	name.exe
2736	name.exe
2736	name.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 2620	3620	510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe	83
PID 3620 wrote to memory of 2620	3620	510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe	83
PID 3620 wrote to memory of 2620	3620	510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe	83
PID 2620 wrote to memory of 4372	2620	name.exe	84
PID 2620 wrote to memory of 4372	2620	name.exe	84
PID 2620 wrote to memory of 4372	2620	name.exe	84
PID 4372 wrote to memory of 2736	4372	name.exe	85
PID 4372 wrote to memory of 2736	4372	name.exe	85
PID 4372 wrote to memory of 2736	4372	name.exe	85

C:\Users\Admin\AppData\Local\Temp\510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe
"C:\Users\Admin\AppData\Local\Temp\510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\510DA872B991223204159A3A2DB2C354990961A1131090FDE23D9FDE8C18C245.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\directory\name.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Users\Admin\AppData\Local\directory\name.exe
      "C:\Users\Admin\AppData\Local\directory\name.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
fbd57b3deb88bc8fcb3d31849992c47c

SHA1
ee05aa6a06add656264af797fce110bc3ed872f5

SHA256
93aef7421ec83af3ee658e508ebf4b4787fbce26e9d372dd13c09513dcc95567

SHA512
26715fe24223e0e4c35e7cbf02215e54ced1248f9c0ec0d65a3b1b6cd55cf1aa195e2cbd603f09e40f449e4bfeb6c0da01b7cecceb4e3684173ace9208defa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\autB2B6.tmp

Filesize
414KB

MD5
914332b9bbda9f05ba02b1cc1a857a03

SHA1
c2e5dca6c62aa15427fc92066ef5f4948f6487c4

SHA256
05223be39a24bbabf5ad3fbaff565df1d37a38689de429ea8893bf7c79121087

SHA512
c0fffef0494285a35bcc1d01510605878095775eaa3ba58ff5c38b53c554d05b6b301b134a83b33b8d1f1ac4e3ad14e7f637aaecca8e8bacad80780afc71128f

Download Submit
C:\Users\Admin\AppData\Local\Temp\autB2F5.tmp

Filesize
9KB

MD5
7c40927bbb75742a1657a25f712afae3

SHA1
f3527f9c6351f4509e5c6093bf44ae39967b7da1

SHA256
241a4a312466edb1c2f1ddc38dd80390c4f4d681fc691cb084df928d7861b34e

SHA512
5844e2623c935c54349df5cef69dd4c5ca4eb93ac489f1f1b08cd8f4345f339c68c9e65c607252df5a6542e6a417137776f8056b774a5bf2865136b0c14702c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\juvenilely

Filesize
483KB

MD5
b00cdc73b7aaf7283f7858abf7cab1f1

SHA1
43ba26efdf019843b2461265f088b9465c3fd5a1

SHA256
39f7439b761835e406dcff3096e4bdb1393ce7aaf2011f4996a3155c6a9ca761

SHA512
af562e160af17d479db3811ea5874b0cff13c0000786dd38257b50f45bcd712898b76127af3b08fead1e9292806cfa997a30704a08444128a68ca342ea02cc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\juvenilely

Filesize
192KB

MD5
5ec3e66ec359fe262696965707c0a268

SHA1
c8e7c57affbe9d2a59b4dc0abc29301b6c337587

SHA256
5d0a1dc12b78208aa35698e33965e6b3919e56569e9fb50bc0204dd8b2512b88

SHA512
69934efa1ba379ff2bb18166125b91ab8804ce47a37ce6a1d3df82f62f2c3972e4fdcaba39fd32a2baef81cf56273256bb31b88cfe34b14055e02af25f111a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\schoolma

Filesize
28KB

MD5
9a216d069231fd79533ec521d9abf0e8

SHA1
32eb60eceecc28e8aa843756bdd6d8dd64393be1

SHA256
5b21b502a369f554ef6bf2697602d148a9b45786f5aaa0eb51d74d1be789b0e1

SHA512
d7e6a1b691beb497570b6d1ae57e9de1d13583124b582484f60bbcfa4652ce18432bf823423434ff50aa04433f10c54b6be1d9572e4ed8a408d3e812f1a267db

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.4MB

MD5
27b2117dd7b51a94fabfa5b69f8e24cd

SHA1
75ae30e656f11222f42e4343c18b8651b5e091f2

SHA256
510da872b991223204159a3a2db2c354990961a1131090fde23d9fde8c18c245

SHA512
542524baf4d912f962c40dd3e873052cad2f2dda34bc8e3eb5a7561487a07abc1f1da87db5f239d65f9f7fa50845fba16639d85f0e5cddca0d35edee0bbec258

Download Submit
memory/2736-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-95-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-123-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-124-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-126-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-128-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-129-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-132-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3620-10-0x0000000000F20000-0x0000000000F24000-memory.dmp

Filesize
16KB

Download