Overview

overview

10

Static

static

5

COTIZACIÓ...DF.exe

windows7-x64

10

COTIZACIÓ...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 05:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    COTIZACIÓN_______________________________________________PDF______________________PDF.exe

  • Size

    1.3MB

  • MD5

    73d006e33d8eda033e684c07b15c53ad

  • SHA1

    e3e0a09b37beee1e19d5a6b9fd5322f906f4493d

  • SHA256

    0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160

  • SHA512

    1b2822a9f568783a6064194c21e4147ffb10c1a0c3ca00f586f3306cf7b5d0bee39af5dad5a78f720d75c09b0b71d44c75d05d9b432b1159915977006e9252db

  • SSDEEP

    24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaKi4Tivd32MUMh9ZzU2Fk1gn5:dh+ZkldoPK8YaKi4mrUUZbk1I

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.64.149:2888

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7Q1GRN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_______________________________________________PDF______________________PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_______________________________________________PDF______________________PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_______________________________________________PDF______________________PDF.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\System32\svchost.exe
        3⤵
          PID:2688

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2176-11-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2176-13-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2176-14-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2176-19-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2644-10-0x0000000000110000-0x0000000000114000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2688-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-21-0x00000000000C0000-0x00000000000C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2688-20-0x00000000000C0000-0x00000000000C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2688-17-0x00000000000C0000-0x00000000000C8000-memory.dmp

      Filesize

      32KB

      Download