General

  • Target

    VALI URGE No FVE 9548 ABRIL 10 DEL 2024.tar

  • Size

    21.7MB

  • Sample

    240410-zx2eqaee8t

  • MD5

    105e34480e40d30724c59721e93ddfac

  • SHA1

    e473a34e9c14bff3599d1be6d56c768025e15441

  • SHA256

    5008e38b7877d9c70a4fd7c48b2b3f6a4b9967ead50e91eff4a5deb59e7d95ff

  • SHA512

    6c3efc8372009af5508d0900e87203acb71b2d880c5f72b87860fcdcb149b753a5ae61373175d95689a6618c7c0d7a416e93f7910ba0516bc6bcd68dc689adf0

  • SSDEEP

    393216:gkq5tRLwvFGAmn/T9DvmEwiixLLVEYaVyDxppRwFK3q5hNBqY5H/5RLlc95rIo:gkqn2NG7T96B2VyVpTw15hNUY895r1

Malware Config

Extracted

Family

remcos

Botnet

BENDECIDO

C2

limpios.con-ip.com:1991

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9MWYZO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      VALI URGE No FVE 9548 ABRIL 10 DEL 2024.exe

    • Size

      70.2MB

    • MD5

      a9b2503d832d58655c38082c52ce6a73

    • SHA1

      b1797fd85f8d8c2f11274747565ed41be5900cd5

    • SHA256

      95aa22d791731eee133ea016387abc2fe02547643e50328ad2cd0464104ccd20

    • SHA512

      e35f5d823cd7205304f1969a53b06e36727d3366d3b4d54e54295e2368612c0e01e8398e9096727226de3737a5f028ae29e5ef9cdfe2d72c2dba8bd7c87c908b

    • SSDEEP

      1572864:x5w5eNmll2Ca9N41CGwqxRXL/A3mGmkAOTIJsbXCt2X3M8VXDs09Dl:LYqV5

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks