remcos | 23d23d9bfe66cfcca000342ec36c54f6bbc138a5a50fc1a4f9de28dcf7be72bb

Analysis

max time kernel
149s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6.exe
Size

3.3MB
MD5

b294eaca8fd0644ad05b2d8c760baf8d
SHA1

9275529b6e9c5113d3c553bcd4a7340dbad55cd6
SHA256

23d23d9bfe66cfcca000342ec36c54f6bbc138a5a50fc1a4f9de28dcf7be72bb
SHA512

c4ca9fb97815c2aa71974a287d2a4ba22b64dd82a3cdc2e8f8cbaf443c70e478ba39b35477f9d84883df8cc6cf5dfad0a2b17f39bedf5d37b0109c8fbcad96b3
SSDEEP

49152:d77LvQE87W0HWTKM4sUgFXSyTiYC7xgVjyK/Fj/m:NOpYC7SyK/Fi

Score

10^/10

remcos wdkgb rat

Malware Config

Extracted

Family

remcos

Botnet

WDKGB

www.dpm-sael.com:2017

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
WDKGB-CEMF8I
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

6.exe

description pid process target process

PID 1428 set thread context of 4332 1428 6.exe regasm.exe

description	pid	process	target process
PID 1428 set thread context of 4332	1428	6.exe	regasm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6.exe

description	pid	process	target process
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe
PID 1428 wrote to memory of 4332	1428	6.exe	regasm.exe

C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
PID:4332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4332-1-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-2-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-3-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-6-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download