remcos | ab3a04d7711c664857a8fccfcaca260221888343734f967313e0c9934ec2a4ca | Triage

Resubmissions

11/07/2023, 13:54

230711-q72zkaae5s 10

06/07/2023, 14:39

230706-r1hg1scc53 10

Sharing

General

Target

Documento_digitaL.UUE
Size

1.2MB
Sample

230706-r1hg1scc53
MD5

d3ea98dcd9e9aeb7e277956ded3c93ee
SHA1

66adb2bd9752f1231c35f644e924fb05c95ba10b
SHA256

ab3a04d7711c664857a8fccfcaca260221888343734f967313e0c9934ec2a4ca
SHA512

e1c6d9afd2c7b0262a82fea87f4119aedea6ba15c582866e1f082b4faa45dbc0df542de90ff9e9498bc3febaae00a26b63189ab29a5aebcb1f59ad2bc45021f1
SSDEEP

24576:B5FCc0S3irFQLCofiUfoJZu731yusVh45fGsDP+HRd21xzB:B5FCc0jrFGfdfKuRpQ45fGsAHIxzB

Score

10^/10

remcos matarifejulio5 persistence rat

Malware Config

Extracted

Family

remcos

Botnet

matarifeJULIO5

C2

matarife.duckdns.org:2798

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
20
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZQGP5Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Documento_digitaL.SCR
- Size
  
  1.4MB
- MD5
  
  850d9e8271dcae3b78c922aeddd9f743
- SHA1
  
  95971cc0caf853f0e4750cdaff5874b4adc2a4a3
- SHA256
  
  0e25b5299c3df59e05d296b1478d43094d5d81e1a5b8706fd355b36388244326
- SHA512
  
  0e4af245411c80d1cdc52d72a16fddbad41a3dc9972bdb8a25fe9f50721c8306eebb17ee30c1a504e370ff7cb8175e411c4b13188336f093269468906500b5ef
- SSDEEP
  
  24576:9VgmnudJ41JhQ0IM6AYsLKBL/7DciY5tTb2p0UdEWVnK:9VSr4+M63ci6b2pxI
Score

10^/10

remcos matarifejulio5 persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosmatarifejulio5persistencerat

behavioral2

remcosmatarifejulio5persistencerat