remcos | cd7c3f2c5f79c619b75afa181ed0c7e7215025a8ea514a2680f8e30bb424aef8

General

Target

Notificacion/01Notificacion juridica.exe
Size

446KB
MD5

485008b43f0edceba0e0d3ca04bc1c1a
SHA1

55ae8f105af415bb763d1b87f6572f078052877c
SHA256

12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10
SHA512

402652786daae635c7405f5fa0924d768cbde2086f9f57b10f00f921dec98e37168f5c3a6baa5593ba9a478f3971d32747c517ffd485d25634c924e6b08815b1
SSDEEP

12288:vK5+DMJA3TAz4plk9iZOOti81N5y1qMIg+GV5Zul3M:y5+DMJA3TAz4plk9ijK1qlGV7ulM

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

febrerososte.duckdns.org:1213

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FY15HO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

01Notificacion juridica.exe

description pid process target process

PID 1668 set thread context of 2348 1668 01Notificacion juridica.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

01Notificacion juridica.execmd.exe

pid process

1668 01Notificacion juridica.exe
1668 01Notificacion juridica.exe
2348 cmd.exe
2348 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

01Notificacion juridica.execmd.exe

pid process

1668 01Notificacion juridica.exe
2348 cmd.exe

description	pid	process	target process
PID 1668 set thread context of 2348	1668	01Notificacion juridica.exe	cmd.exe

pid	process
1668	01Notificacion juridica.exe
1668	01Notificacion juridica.exe
2348	cmd.exe
2348	cmd.exe

pid	process
1668	01Notificacion juridica.exe
2348	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

01Notificacion juridica.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 2348	1668	01Notificacion juridica.exe	cmd.exe
PID 1668 wrote to memory of 2348	1668	01Notificacion juridica.exe	cmd.exe
PID 1668 wrote to memory of 2348	1668	01Notificacion juridica.exe	cmd.exe
PID 1668 wrote to memory of 2348	1668	01Notificacion juridica.exe	cmd.exe
PID 1668 wrote to memory of 2348	1668	01Notificacion juridica.exe	cmd.exe
PID 2348 wrote to memory of 2524	2348	cmd.exe	explorer.exe
PID 2348 wrote to memory of 2524	2348	cmd.exe	explorer.exe
PID 2348 wrote to memory of 2524	2348	cmd.exe	explorer.exe
PID 2348 wrote to memory of 2524	2348	cmd.exe	explorer.exe
PID 2348 wrote to memory of 2524	2348	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Notificacion\01Notificacion juridica.exe
"C:\Users\Admin\AppData\Local\Temp\Notificacion\01Notificacion juridica.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\registros.dat

Filesize
144B

MD5
63b15e38f931a8fee9dcd7f1b964a9bc

SHA1
aa693c9681bf411cbbc852746eedf3367a5fc602

SHA256
1988ff972393beb491e9428021826bf4f8253c9c98d9089b7f7c5701b60ac60a

SHA512
dd9c0027a5e23bca0ab066cbb8c5d01053d9f1c1f40b7691e0a8f5e4e146f2d253f0c97a32041df810fd2cd0876275ec0f544b4efa8586d4516686ac55c763b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\995b035f

Filesize
1.1MB

MD5
36f9fb15960c07c4d5cc2ef89668e954

SHA1
8555ed75cc03ba2f8629cceeb6e973aacbe0a494

SHA256
b99e26816dfc80829b69a6a66ea7a27438e1aa6a3420f68d6d05c98f4197149f

SHA512
55620c8a277d3e65fd5242e62a792af41cde2ca632672a06fab12110da7fb4572eb2a417ff12187cc01ee1720c882885c8cff54a06eb8030eff72c33888f6340

Download Submit
memory/1668-0-0x0000000074D80000-0x0000000074EF4000-memory.dmp

Filesize
1.5MB

Download
memory/1668-1-0x0000000077530000-0x00000000776D9000-memory.dmp

Filesize
1.7MB

Download
memory/1668-7-0x0000000074D80000-0x0000000074EF4000-memory.dmp

Filesize
1.5MB

Download
memory/1668-8-0x0000000074D80000-0x0000000074EF4000-memory.dmp

Filesize
1.5MB

Download
memory/2348-10-0x0000000074D80000-0x0000000074EF4000-memory.dmp

Filesize
1.5MB

Download
memory/2348-12-0x0000000077530000-0x00000000776D9000-memory.dmp

Filesize
1.7MB

Download
memory/2348-58-0x0000000074D80000-0x0000000074EF4000-memory.dmp

Filesize
1.5MB

Download
memory/2348-59-0x0000000074D80000-0x0000000074EF4000-memory.dmp

Filesize
1.5MB

Download
memory/2348-61-0x0000000074D80000-0x0000000074EF4000-memory.dmp

Filesize
1.5MB

Download
memory/2524-65-0x0000000000860000-0x0000000000AE1000-memory.dmp

Filesize
2.5MB

Download
memory/2524-78-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-69-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-72-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-62-0x0000000077530000-0x00000000776D9000-memory.dmp

Filesize
1.7MB

Download
memory/2524-75-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-63-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-81-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-84-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-87-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-90-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-93-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-96-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing