Analysis
-
max time kernel
42s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
23/03/2025, 20:08
General
-
Target
7caf68c89471c61128dc496052deb1bdc26b0a5c98218975cbd76545e483aaac.exe
-
Size
910KB
-
MD5
a24a1bbd8b0ce4737d179c924afc6e77
-
SHA1
40cd5db7d8a1d1c37ee23f90a363bc00dc36ee2a
-
SHA256
7caf68c89471c61128dc496052deb1bdc26b0a5c98218975cbd76545e483aaac
-
SHA512
f283a6c54bdf6f5a3a1ece5d90ea64cbc9586f3015dd03bfe0a0fd8966c54bd7f91ab00ce3cc49acc33c9642d99d36943a11c2d0819aa583ec8236cf956e1e91
-
SSDEEP
12288:kp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRz9M7:kpugRNJI1D39dlfGQrFUx9M7
Malware Config
Extracted
remcos
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7caf68c89471c61128dc496052deb1bdc26b0a5c98218975cbd76545e483aaac.exe"C:\Users\Admin\AppData\Local\Temp\7caf68c89471c61128dc496052deb1bdc26b0a5c98218975cbd76545e483aaac.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
919KB
MD5839ec75070c757715a2deac1e0d8e977
SHA17bfcd9df63df4aec7ab26ca2a7e615b10fc4e01f
SHA25637b672e6bf7f50367503e62d8be1696efda11f89d23a4ea0c1824193082ff795
SHA512d8708fc529f1bccd178a9285001fc4ca55439be93ec8e9d3792bab8cd9d02992beb6d4b7f336e2a4d94f05b07bc62c60b97055dfbd4a654c5693316428424b06
-
Filesize
92KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB