remcos | 3927e9bf483943765d06f52b5da3e3ec5fbc2ac7db70be5c863f38765427d8f6

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toolSync_v1/madHcCtrl.exe
Size

3.1MB
MD5

b841d408448f2a07f308ced1589e7673
SHA1

f5b5095c0ed69d42110df6d39810d12b1fa32a1e
SHA256

69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699
SHA512

a689734048109ab7bec9491bbb7781686c19c7885166b3ca2975e2f49e956fcc388cd8ca85a4e5a8bf9efe6056f1e0d80197b7f521d4f0d4cadb10ba9ef1fa93
SSDEEP

49152:pvFg5qg9BtIAHE3SM4ahx6LK2SamuZob+tCjNrv8:Jm5qGBHBLRKuZfkjNrv8

Score

10^/10

remcos 5005 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

5005

92.255.85.63:5005

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6TENMT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2260	2524	madHcCtrl.exe	31

Executes dropped EXE 1 IoCs

pid	Process
2524	madHcCtrl.exe

Loads dropped DLL 5 IoCs

pid	Process
3056	madHcCtrl.exe
3056	madHcCtrl.exe
2524	madHcCtrl.exe
2524	madHcCtrl.exe
2524	madHcCtrl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	madHcCtrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	madHcCtrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3056	madHcCtrl.exe
2524	madHcCtrl.exe
2524	madHcCtrl.exe
2260	cmd.exe
2260	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2524	madHcCtrl.exe
2260	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2524	3056	madHcCtrl.exe	30
PID 3056 wrote to memory of 2524	3056	madHcCtrl.exe	30
PID 3056 wrote to memory of 2524	3056	madHcCtrl.exe	30
PID 3056 wrote to memory of 2524	3056	madHcCtrl.exe	30
PID 2524 wrote to memory of 2260	2524	madHcCtrl.exe	31
PID 2524 wrote to memory of 2260	2524	madHcCtrl.exe	31
PID 2524 wrote to memory of 2260	2524	madHcCtrl.exe	31
PID 2524 wrote to memory of 2260	2524	madHcCtrl.exe	31
PID 2524 wrote to memory of 2260	2524	madHcCtrl.exe	31
PID 2260 wrote to memory of 1908	2260	cmd.exe	34
PID 2260 wrote to memory of 1908	2260	cmd.exe	34
PID 2260 wrote to memory of 1908	2260	cmd.exe	34
PID 2260 wrote to memory of 1908	2260	cmd.exe	34
PID 2260 wrote to memory of 1908	2260	cmd.exe	34
PID 2260 wrote to memory of 1908	2260	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\toolSync_v1\madHcCtrl.exe
"C:\Users\Admin\AppData\Local\Temp\toolSync_v1\madHcCtrl.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Roaming\toolSync_v1\madHcCtrl.exe
  C:\Users\Admin\AppData\Roaming\toolSync_v1\madHcCtrl.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6bdded63

Filesize
1.2MB

MD5
841159cbfe47769bfa95d4127790146b

SHA1
7d8560c0e6f369a282c0d445f3a5270a9ccb9bb8

SHA256
ee6dd6bacbd1754631e43a1f5b1f8f9e8e162b563ee60d861de9587b90fbef22

SHA512
dd94f8a25482a0ff6de3d449e8a356c30452eb3438f2595572f1be50b51f91a52274402571946d04af01fa7661091bed0db95ee390c5ff6908eeb8370ad60d27

Download Submit
C:\Users\Admin\AppData\Roaming\toolSync_v1\agitator.asp

Filesize
947KB

MD5
f235ee7a69eb63d209526641e146fbfb

SHA1
a93ae672d8b21f0cac0652c5ed1b098ffa791b77

SHA256
bf2203ae2b727f3c4f63a46ab9d5beac1189de6b9d4db641b5965c1027596337

SHA512
56d851567016419274e93a35dce2c8d8807f07530e9248c9b3c30be5ee0fb5f39e935ccff653d16a360866f8b4aff59a07070dcf19202f59ad722a0f53e0c1de

Download Submit
C:\Users\Admin\AppData\Roaming\toolSync_v1\buzzard.jpg

Filesize
56KB

MD5
b5b479dd84c8465723f62d9bfa890a8e

SHA1
ade400a8ccb15678705b269862acf350a61c58b4

SHA256
dafeebfa6e92322d2966652d1950dee45d686f3b13051ef889a67e7014906136

SHA512
4384800fd6868efaf0e4f5a4796efebb4c6264ccd42e60a256e73fa9fec0724ef796b8030ee897f699927af67e83e0e40350e461cb3d69f102536291faf18ae5

Download Submit
C:\Users\Admin\AppData\Roaming\toolSync_v1\madHcNet32.dll

Filesize
894KB

MD5
041d41db569d4bbe764df2586205027e

SHA1
ea36c581a456fa55694df4a0748ca6e3795dca2b

SHA256
76dd9f6acbd1104458bcfc216c32e4f8d4de7ae63bbaf01412bd9aa545c4ed59

SHA512
661dea5145d31ce15fae23a1c2c4591e743a8528bd4eac6a426bf7fad12b4d2aaea01d69d71fbdadbc8d45d4485e94df1f68af1c5a489cf92893c54f2fe6cd83

Download Submit
C:\Users\Admin\AppData\Roaming\toolSync_v1\mvrSettings32.dll

Filesize
1.0MB

MD5
d168f18b79f9f33690f011d1deb1e7cf

SHA1
cf0d984ce101ec274e65e88fae07daeb26de5a6d

SHA256
b7d3bc460a17e1b43c9ff09786e44ea4033710538bdb539400b55e5b80d0b338

SHA512
bbf085bcbc3c1c98caba95bdf48051bac18bbd1b7314c7bb55b56e3d423fb34758cc239c237091486cc466123bf02844eaac3b4435cb535af25dc2bca625af71

Download Submit
\Users\Admin\AppData\Roaming\toolSync_v1\madHcCtrl.exe

Filesize
3.1MB

MD5
b841d408448f2a07f308ced1589e7673

SHA1
f5b5095c0ed69d42110df6d39810d12b1fa32a1e

SHA256
69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699

SHA512
a689734048109ab7bec9491bbb7781686c19c7885166b3ca2975e2f49e956fcc388cd8ca85a4e5a8bf9efe6056f1e0d80197b7f521d4f0d4cadb10ba9ef1fa93

Download Submit
\Users\Admin\AppData\Roaming\toolSync_v1\unrar.dll

Filesize
304KB

MD5
851c9e8ce9f94457cc36b66678f52494

SHA1
40abd38c4843ce33052916904c86df8aab1f1713

SHA256
0891edb0cc1c0208af2e4bc65d6b5a7160642f89fd4b4dc321f79d2b5dfc2dcc

SHA512
cdf62a7f7bb7a6d511555c492932e9bcf18183c64d4107cd836de1741f41ac304bd6ed553fd868b442eaf5da33198e4900e670cd5ae180d534d2bd56b42d6664

Download Submit
memory/1908-92-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1908-95-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1908-100-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1908-99-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1908-98-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1908-97-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1908-96-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1908-88-0x0000000077540000-0x00000000776E9000-memory.dmp

Filesize
1.7MB

Download
memory/1908-94-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1908-89-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2260-93-0x0000000074930000-0x0000000074AA4000-memory.dmp

Filesize
1.5MB

Download
memory/2260-38-0x0000000074930000-0x0000000074AA4000-memory.dmp

Filesize
1.5MB

Download
memory/2260-40-0x0000000077540000-0x00000000776E9000-memory.dmp

Filesize
1.7MB

Download
memory/2260-86-0x0000000074930000-0x0000000074AA4000-memory.dmp

Filesize
1.5MB

Download
memory/2524-30-0x0000000074943000-0x0000000074945000-memory.dmp

Filesize
8KB

Download
memory/2524-28-0x0000000074930000-0x0000000074AA4000-memory.dmp

Filesize
1.5MB

Download
memory/2524-36-0x00000000002E0000-0x00000000003EB000-memory.dmp

Filesize
1.0MB

Download
memory/2524-37-0x0000000074930000-0x0000000074AA4000-memory.dmp

Filesize
1.5MB

Download
memory/2524-25-0x00000000002E0000-0x00000000003EB000-memory.dmp

Filesize
1.0MB

Download
memory/2524-34-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2524-35-0x000000004A600000-0x000000004A6EC000-memory.dmp

Filesize
944KB

Download
memory/2524-31-0x0000000074930000-0x0000000074AA4000-memory.dmp

Filesize
1.5MB

Download
memory/2524-29-0x0000000077540000-0x00000000776E9000-memory.dmp

Filesize
1.7MB

Download
memory/3056-15-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/3056-0-0x0000000000720000-0x000000000082B000-memory.dmp

Filesize
1.0MB

Download
memory/3056-2-0x0000000077540000-0x00000000776E9000-memory.dmp

Filesize
1.7MB

Download
memory/3056-18-0x0000000000720000-0x000000000082B000-memory.dmp

Filesize
1.0MB

Download
memory/3056-1-0x0000000074950000-0x0000000074AC4000-memory.dmp

Filesize
1.5MB

Download
memory/3056-17-0x000000004A600000-0x000000004A6EC000-memory.dmp

Filesize
944KB

Download