remcos | 558d7578710ab52e037abcf275e9ecc00940a8852b910ed427584fadaacde631 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Factura por pagar N comprobante electronico 005001000603211.rar
Size

6KB
Sample

230330-h1nvcsbd58
MD5

d8185c35a11dcaaff2e971a615e05950
SHA1

d14159d91551a4b383f4cf0bd28c5190c99b2152
SHA256

558d7578710ab52e037abcf275e9ecc00940a8852b910ed427584fadaacde631
SHA512

0f8c8fb1977c0500bb77d6739d74370e1f7249ae79dbaf910cf84a0359529bda62ae24a170acc2312da73a537d586cf03a82bf2a06b000af0cd0016f50fe27b4
SSDEEP

96:TcPAJVa39XW00rBbebYCx9ZEbxBk/ySCGb3hOYZwbt+/Iy5cKu0KmcSJWvvq7ocm:TQO80rY/9kxBuDhQx+/pd5WvvIocm

Score

10^/10

remcos milomiercoles1 rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://5.42.199.235/dll/dll3.txt

Extracted

Family

remcos

Botnet

MiloMiercoles1

C2

contificoseguro.con-ip.com:2500

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logslmilomm.dat
keylog_flag
false
keylog_folder
logslivemilomm
keylog_path
%AppData%
mouse_option
false
mutex
Rmcau1milomm-AFUNP0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Factura por pagar N comprobante electronico 005001000603211.vbs
- Size
  
  912KB
- MD5
  
  2c9e2087047f7eb65a42a31a8407b6d7
- SHA1
  
  3686d693284171f624a9ecfaa8e0ec20cfc67791
- SHA256
  
  da9f30f6467709340226de7f1e28a62620a6939ed92a60b524dc57e8b486d807
- SHA512
  
  6d87c5f1098e9da24df1c090f69be76f26e321437cb8cfd4aec3d6faafd97a37b86d2761f4d12f00e6e098512009d2e8ff62eedf7a2103db42ce223416361731
- SSDEEP
  
  6144:8WkHWkXWkHWk3WkHWkCWkHWkxWkHWk0WkHWknWkHWk8WkHWkDWkHWkEWkHWkkWkL:x
Score

10^/10

remcos milomiercoles1 rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosmilomiercoles1rat