Resubmissions
05-02-2025 05:35
250205-gabxfatmcq 1003-02-2025 03:04
250203-dkkqjszkhq 1003-02-2025 02:21
250203-cs7plsylfr 1003-02-2025 02:20
250203-csf7nawqbz 1002-02-2025 21:21
250202-z7mdjsylhx 302-02-2025 18:40
250202-xbfvsawpaq 1002-02-2025 18:19
250202-wyncpstlfw 1024-01-2025 01:23
250124-br1z1asnhz 1024-01-2025 00:12
250124-ag75wssjak 1028-11-2024 02:19
241128-cr9sks1kht 10Analysis
-
max time kernel
9s -
max time network
10s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
03-02-2025 02:20
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
remcos
RemoteHost
185.158.251.159:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-TKL5S3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Downloads MZ/PE file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\rea.exe"C:\Users\Admin\AppData\Local\Temp\Files\rea.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234KB
MD54567528ddb8444c07071178a1684f4da
SHA11db093fa344bbd5ef57dde640c53b7362656582e
SHA256afc3f655dfee4bc9f76c00a0c9ccffe310487a3c3394ea12037235e124139c28
SHA512269c918a056735701b3b02f6d3864cd6a72c08aeeed4f30b6eb6c4fe83da06210c208e6d53d8808b04c3b708ad125fd5ed9733345198b3619fcb6061756429d1
-
Filesize
469KB
MD529b622980bc32771d8cac127961b0ba5
SHA1895a13abd7ef4f8e0ea9cc1526350eccf1934b27
SHA256056cdf4a67164ded09385efec0912ccbb1c365c151d01b0a3633de1c4d410a18
SHA5127410b6413f4177d44ad3b55652ca57e3d622c806e423286a3ae90dd8026edb3552d304fde3c2b82ee0b8ef3dc4ba0e4a185d0d03be96d9fa5f8be7347592db95
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB