remcos | 5eefc105d5ab9d2d68363b9789bf36a21556e5c22d3f5e22ecfa7471749c027f

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DEMANDA LABORAL POR ABUSO DE CONFIANZA 6154/msimg32.dll
Size

4.5MB
MD5

5c8efc44873f7b3206bf6848cda5a910
SHA1

513f40cf130c25b2ce5fbc1d4461db1b11003b06
SHA256

1dbaf868164cb30ad1841278748fea090d2b6e0862aea240c498afe41f2ad4de
SHA512

65c037efe8e0c90a491756115f8f8e31440aa07631d7e19e30ab6a55bcd0fded7539ac4a26515f0c75d1114b87c3c6c4242b6e495bedd6f7ae3406b682ab86e4
SSDEEP

98304:Q7cVE/ETJBs0YTUaoP2MNT9L/fO3Jajv:Q7cVE/ETJBs0NRLnO5a

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

masterosamell32.kozow.com:6565

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3J5KKR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 64 IoCs

flow	pid	Process
3	2948	rundll32.exe
4	2948	rundll32.exe
5	2948	rundll32.exe
6	2948	rundll32.exe
7	2948	rundll32.exe
8	2948	rundll32.exe
9	2948	rundll32.exe
10	2948	rundll32.exe
11	2948	rundll32.exe
12	2948	rundll32.exe
13	2948	rundll32.exe
14	2948	rundll32.exe
15	2948	rundll32.exe
16	2948	rundll32.exe
17	2948	rundll32.exe
18	2948	rundll32.exe
19	2948	rundll32.exe
20	2948	rundll32.exe
21	2948	rundll32.exe
22	2948	rundll32.exe
23	2948	rundll32.exe
24	2948	rundll32.exe
25	2948	rundll32.exe
26	2948	rundll32.exe
27	2948	rundll32.exe
28	2948	rundll32.exe
29	2948	rundll32.exe
30	2948	rundll32.exe
31	2948	rundll32.exe
32	2948	rundll32.exe
33	2948	rundll32.exe
34	2948	rundll32.exe
35	2948	rundll32.exe
36	2948	rundll32.exe
37	2948	rundll32.exe
38	2948	rundll32.exe
39	2948	rundll32.exe
40	2948	rundll32.exe
41	2948	rundll32.exe
42	2948	rundll32.exe
43	2948	rundll32.exe
44	2948	rundll32.exe
45	2948	rundll32.exe
46	2948	rundll32.exe
47	2948	rundll32.exe
48	2948	rundll32.exe
49	2948	rundll32.exe
50	2948	rundll32.exe
51	2948	rundll32.exe
52	2948	rundll32.exe
53	2948	rundll32.exe
54	2948	rundll32.exe
55	2948	rundll32.exe
56	2948	rundll32.exe
57	2948	rundll32.exe
58	2948	rundll32.exe
59	2948	rundll32.exe
60	2948	rundll32.exe
61	2948	rundll32.exe
62	2948	rundll32.exe
63	2948	rundll32.exe
64	2948	rundll32.exe
65	2948	rundll32.exe
66	2948	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2948	rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3016	2372	rundll32.exe	31
PID 2372 wrote to memory of 3016	2372	rundll32.exe	31
PID 2372 wrote to memory of 3016	2372	rundll32.exe	31
PID 2372 wrote to memory of 3016	2372	rundll32.exe	31
PID 2372 wrote to memory of 3016	2372	rundll32.exe	31
PID 2372 wrote to memory of 3016	2372	rundll32.exe	31
PID 2372 wrote to memory of 3016	2372	rundll32.exe	31
PID 3016 wrote to memory of 2948	3016	rundll32.exe	32
PID 3016 wrote to memory of 2948	3016	rundll32.exe	32
PID 3016 wrote to memory of 2948	3016	rundll32.exe	32
PID 3016 wrote to memory of 2948	3016	rundll32.exe	32
PID 3016 wrote to memory of 2948	3016	rundll32.exe	32
PID 3016 wrote to memory of 2948	3016	rundll32.exe	32
PID 3016 wrote to memory of 2948	3016	rundll32.exe	32
PID 3016 wrote to memory of 2948	3016	rundll32.exe	32
PID 3016 wrote to memory of 2948	3016	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL POR ABUSO DE CONFIANZA 6154\msimg32.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL POR ABUSO DE CONFIANZA 6154\msimg32.dll",#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe"
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
4247cc0fd4212614d3d26c52ac4fcc29

SHA1
7b82eb63f7cb0d39055644eb781d1b6164f0c043

SHA256
2d91134e8493cbc16f87d5b1b4d9d9b31dda954010129803ce2f03a6bc1cf7fe

SHA512
f545de86da68db180bdd61c4901204a343c2f52f936c270b4e40451e14887db99db8277af3d7472eaffe3b994a7376d606112c6c4bdfd346d9c6773fdc2c268e

Download Submit
memory/2948-38-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-70-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-16-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-13-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-10-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-7-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-72-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-39-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-71-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-40-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-69-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-68-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-66-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-20-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-21-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-22-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-23-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-24-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-25-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-27-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-28-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-29-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-30-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-31-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-32-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-33-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-34-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-36-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-37-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2948-41-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-19-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-65-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-43-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-44-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-45-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-46-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-47-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-48-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-49-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-50-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-52-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-53-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-54-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-55-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-56-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-57-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-58-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-15-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-60-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-61-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-62-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-63-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/2948-64-0x0000000000090000-0x0000000000110000-memory.dmp

Filesize
512KB

Download
memory/3016-0-0x0000000010000000-0x0000000010486000-memory.dmp

Filesize
4.5MB

Download
memory/3016-2-0x0000000010000000-0x0000000010486000-memory.dmp

Filesize
4.5MB

Download
memory/3016-3-0x0000000010000000-0x0000000010486000-memory.dmp

Filesize
4.5MB

Download
memory/3016-11-0x0000000010000000-0x0000000010486000-memory.dmp

Filesize
4.5MB

Download
memory/3016-5-0x0000000010000000-0x0000000010486000-memory.dmp

Filesize
4.5MB

Download
memory/3016-4-0x0000000010000000-0x0000000010486000-memory.dmp

Filesize
4.5MB

Download
memory/3016-1-0x0000000010020000-0x000000001003F000-memory.dmp

Filesize
124KB

Download