remcos | e6360d66b7e3b8aebee4ae5aae9e2f470ed8ba472373ff56057ad69b6c5ac54b | Triage

Sharing

General

Target

notifica a usted la primera audiencia por el proceso judicial adelantado.rar
Size

673KB
Sample

230327-tz2klsgd2z
MD5

ea1a6d4ee652e1810ca3df145259deab
SHA1

8eb9819138ef5d6e10e98e0e5524abf26d6791fa
SHA256

e6360d66b7e3b8aebee4ae5aae9e2f470ed8ba472373ff56057ad69b6c5ac54b
SHA512

6e9425a61762dcde831bef634c2d7de248d418343a4d419a6ac8d4152bd454ed0d6526a4f169c64210a3c434e493407a34344fd1af8cad50db27545b5bdde896
SSDEEP

12288:UyG+3U4tBSIUsuHVAQGs9Xwvd7MWcv7o8jrPbx1xWGFFPgUgZH:Uyr9q1AWGF7MWOR3XxWG3gUgZH

Score

10^/10

remcos lunes rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

LUNES

C2

lunesgermanarellanos.con-ip.com:1013

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-ARW24P
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  notifica a usted la primera audiencia por el proceso judicial adelantado.rar
- Size
  
  673KB
- MD5
  
  ea1a6d4ee652e1810ca3df145259deab
- SHA1
  
  8eb9819138ef5d6e10e98e0e5524abf26d6791fa
- SHA256
  
  e6360d66b7e3b8aebee4ae5aae9e2f470ed8ba472373ff56057ad69b6c5ac54b
- SHA512
  
  6e9425a61762dcde831bef634c2d7de248d418343a4d419a6ac8d4152bd454ed0d6526a4f169c64210a3c434e493407a34344fd1af8cad50db27545b5bdde896
- SSDEEP
  
  12288:UyG+3U4tBSIUsuHVAQGs9Xwvd7MWcv7o8jrPbx1xWGFFPgUgZH:Uyr9q1AWGF7MWOR3XxWG3gUgZH
Score

3^/10
behavioral1 behavioral2
- Target
  
  notifica a usted la primera audiencia por el proceso judicial adelantado.exe
- Size
  
  790KB
- MD5
  
  81a23531cb13ca317bbe76d5331f0ce5
- SHA1
  
  8895d9aefd3ca9f3c457fe51691c4a408819e69f
- SHA256
  
  b6a42d45119abc492113b7ac0bcf51a7ffe2aec2ea5fe47c35b62af0beeefd5a
- SHA512
  
  50c5bf43f9a0a5ed17415080f5394c72777f2b549df60e4707bb4b6e775e5570acb27d01a992d1037cf1c23deedf66991434cd73d86c5233c22691ed1cf994d6
- SSDEEP
  
  12288:PUJB0O+SFTCulU37koolxZnQSYlIHSNdDhiJhNPHok3U0iTK+JuQyKJhZckedxNK:EISFfU37kRk3myN14PX4gT8Dc
Score

10^/10

remcos lunes rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4