Overview

overview

10

Static

static

3

6030ff80b6...92.exe

windows7-x64

10

6030ff80b6...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    59s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe

  • Size

    1.1MB

  • MD5

    a72b4bcb182f1051674b27e3c84e550f

  • SHA1

    938d4163a9a9485b8310866b9095a7e0ac6f0362

  • SHA256

    6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192

  • SHA512

    8820e7c7702894de6996455a48f49675f3699cc4002e98cbdf7a1c610db1decaa5c2156e30d9a87c5cbb248d904201acbd30d09072fadfd08b4568db8855f313

  • SSDEEP

    24576:eaTgKwZ14X27uUL3VM0kd+rkhfMsjgkAj2JE06J5N0Fi:LTgdZOcuUL3xAx/8b2S7Z0c

Score
10/10
remcoschinemeremdiscoveryrat

Malware Config

Extracted

Family

remcos

Version

2.2.2 Pro

Botnet

chinemerem

C2

remcoss.onmypc.org:3765

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    r-8ET8H0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe
    "C:\Users\Admin\AppData\Local\Temp\6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5468
    • C:\Users\Admin\AppData\Local\Temp\6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe
      "C:\Users\Admin\AppData\Local\Temp\6030ff80b6942595fc83ce9419392d35b1b6f51cf78f7c7969329c1e97f54192.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4796
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemSettingsAdminFlows /tr "C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4876
  • C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe
    C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe
      "C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe"
      2⤵
      • Executes dropped EXE
      PID:4012
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemSettingsAdminFlows /tr "C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe
    Filesize

    1.1MB

    MD5

    af8b04086b0d73d0560cb85d0880a918

    SHA1

    29fb69e44778762b6f1e6505cad417ee82e8acbc

    SHA256

    fd3a3708f878bbf48ca690dc4bce7f8a1a0990ff6f48a312f4245eef273ea88b

    SHA512

    b49b61f6f17cb13a4c9a8e31658ad5603fdb5c3ec43ba084519f172ec91a98639f9f0bbcb3ef4da6e55598642a48c9ffa1b2acda7898732d542e458f4e165ffc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\remcos\logs.dat
    Filesize

    79B

    MD5

    436a189ebd3d7b4aab02b4ce1d778236

    SHA1

    bd84171539d397681f96cf4667efd92f819afede

    SHA256

    be00ab6b45547c011f8609cb6205df581bb0f8975ca933f56b91d84c337e3580

    SHA512

    4a4a6fc1ceecd0c556bdb7877a8e5b224faf24eb7519e8df1d2eecc8a105cf4ddaf98ac49d36f1b7eac95c9314c9a2fb59372e1bcb89cd7f87b7addf6271957d

    Download Submit

  • memory/4012-36-0x0000000000CC0000-0x0000000000E49000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4176-43-0x0000000000CC0000-0x0000000000E49000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4176-42-0x0000000000CC0000-0x0000000000E49000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4176-40-0x0000000000CC0000-0x0000000000E49000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4176-38-0x0000000000C10000-0x0000000000C13000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4176-26-0x0000000000CC0000-0x0000000000E49000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4176-27-0x0000000000C10000-0x0000000000C13000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4796-11-0x0000000000350000-0x0000000000370000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4796-14-0x0000000000350000-0x0000000000370000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4796-10-0x0000000000350000-0x0000000000370000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4796-3-0x0000000000350000-0x0000000000370000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5468-21-0x0000000000C20000-0x0000000000DA9000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/5468-19-0x0000000000C20000-0x0000000000DA9000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/5468-16-0x0000000000C20000-0x0000000000DA9000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/5468-15-0x0000000000AA0000-0x0000000000AA3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/5468-0-0x0000000000C20000-0x0000000000DA9000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/5468-2-0x0000000000B50000-0x0000000000B51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5468-1-0x0000000000AA0000-0x0000000000AA3000-memory.dmp

    Filesize

    12KB

    Download