remcos

General

Target

FACTURAS VENCIDAS.pdf.lnk
Size

4KB
Sample

220817-hzyceaccbr
MD5

321240e769016fa53af40cb6ab98cc0d
SHA1

44b6143d5ec750d11f38d311622ef849b8ec5178
SHA256

517b9d73ba6d6fd29ef0e008a01b11487c9217e466e17bb073a05412b3932e5b
SHA512

b8189176905d269d0135267ac47ac30f140ab76cb8ae5025250691f99f6b8ae186d05bad3bee3521726d6dc4f14f25cca3235aebcd9a9f56c8b8e93eb52e86dd
SSDEEP

96:8yDrsv8TjDTDbmGyTVvSFEcLqZCwjBr9c+S1U:8yDQv8TjfD5qR9c1

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://movilidadvialcolombia.com/envios.hta

Extracted

Language

hta

Source

URLs

hta.dropper

https://movilidadvialcolombia.com/envios.hta

Extracted

Family

remcos

Botnet

ENVIOJAGOSTO 16

C2

logisitica.discisoted.info:5505

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
fryuias
mouse_option
false
mutex
yyuhajsstr-SGRMTP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  FACTURAS VENCIDAS.pdf.lnk
- Size
  
  4KB
- MD5
  
  321240e769016fa53af40cb6ab98cc0d
- SHA1
  
  44b6143d5ec750d11f38d311622ef849b8ec5178
- SHA256
  
  517b9d73ba6d6fd29ef0e008a01b11487c9217e466e17bb073a05412b3932e5b
- SHA512
  
  b8189176905d269d0135267ac47ac30f140ab76cb8ae5025250691f99f6b8ae186d05bad3bee3521726d6dc4f14f25cca3235aebcd9a9f56c8b8e93eb52e86dd
- SSDEEP
  
  96:8yDrsv8TjDTDbmGyTVvSFEcLqZCwjBr9c+S1U:8yDQv8TjfD5qR9c1
Score

10^/10

remcos enviojagosto 16 persistence rat
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Modifies WinLogon for persistence

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2