remcos | 955460c92190c8843a615001bfe8c88f9cd3a71e0c7500526d601140d078e811 | Triage

Sharing

General

Target

CIRCUNSTANCIA POR LITIGIO LABORAL, EL CUAL SE ENCUENTRA SUJETO.rar
Size

692KB
Sample

230330-j2n27adb71
MD5

775bf584fbab2c0282d0fa53ef825122
SHA1

f41364bee4169f4c071868a4ffcf742b4e17be10
SHA256

955460c92190c8843a615001bfe8c88f9cd3a71e0c7500526d601140d078e811
SHA512

c200fbf691cd70d26958441070abba42ee322b219a9e196c1fe50a622253520b7a1ed569acaebba7b8be8f784a0575adf4ce4e190153013cd27d7f0abd3f0d3d
SSDEEP

12288:GdGgHNJCF/PiPAsmVg9vMzFogwWQTphx8PAyaxtxfgkIyw+UkYtCBNdoagHuO4Ct:+HNJ2XiPAsWe0FozpwPTgtRIyxUkS4HM

Score

10^/10

remcos lunes rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

LUNES

C2

lunesgermanarellanos.con-ip.com:1013

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-ARW24P
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Extracted

Family

remcos

Botnet

LUNES

C2

lunesgermanarellanos.con-ip.com:1013

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-ARW24P
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  CIRCUNSTANCIA POR LITIGIO LABORAL, EL CUAL SE ENCUENTRA SUJETO..exe
- Size
  
  956KB
- MD5
  
  85951698e0f4f09401ed61cebc2b7fd9
- SHA1
  
  c39bd26eead0db6cce2fd01b37920183f8a4e36a
- SHA256
  
  96a0f6280efff1d4792b065c2c48870d3c9ae98a546b4e9e76372880a07cf737
- SHA512
  
  722d6e9dd4432c84b21548d4e185fa790b57ca3647c4642290bd2ba06cb9b6915155d6e9c0207411671fddc582f158e2269a23e4aee775be8e1b91595a8df048
- SSDEEP
  
  12288:7M2iNo3XdJVZz5dB3TMe8AL2k+n6Czzc+EEaGY80oKvR1/ODTN3g4c:7M12zVZ97TMeck262YnqYnoE6VBc
Score

10^/10

remcos lunes rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2