Overview

overview

10

Static

static

1

APERTURA R...55.exe

windows7-x64

10

APERTURA R...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2024 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    APERTURA RAD 10000065665655.exe

  • Size

    2.3MB

  • MD5

    fc82c4456949b5f4dfc28f271be666b0

  • SHA1

    a2bdc71c58f29338cdb80edc7099caf24c1de8bd

  • SHA256

    90bbc186938b8bf66f288b9376a9ee09e3ea004231d79e29eac556060cd7f6a3

  • SHA512

    a691497d78457a6da0eea34df574f9baa9d1b3414a3c2e02998799596dadf718dfd968ed81eaeb3817862b59428b47bd12be64c006ce374e0981310561903829

  • SSDEEP

    49152:hEevijJYygFFqn2Eorzg89I4MdqnIhIuOcSnLp20aPbT+gyYlXtwL/Lal1w9LVw:h7aCFFqdHPP0YlXtwL/Lal1

Score
10/10
remcosamorediscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

AMORE

C2

muchodinerohoy.con-ip.com:1667

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-T2SV5Q

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\APERTURA RAD 10000065665655.exe
    "C:\Users\Admin\AppData\Local\Temp\APERTURA RAD 10000065665655.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Users\Admin\AppData\Local\Temp\APERTURA RAD 10000065665655.exe
      "C:\Users\Admin\AppData\Local\Temp\APERTURA RAD 10000065665655.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    27193a2286bc7d6aec0ddc04362711eb

    SHA1

    d8056a7838b268d1eccf570d4cf4755f819caf76

    SHA256

    ffb0ff6b769584b7a32bd35829924a95e5d8cba55a908b902dffae1b3c6601ed

    SHA512

    af297e967345837ee992ab088a38cc32d2ec336ab9b1ceab985797d674fbde5889d77bed53ccc789a8c77685366c9c5bc583f03c9cc2fb8d25b2c456604837b8

    Download Submit

  • memory/3936-0-0x0000000000400000-0x0000000000678000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3936-2-0x0000000000400000-0x0000000000678000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3936-1-0x0000000000407000-0x0000000000421000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3936-6-0x0000000000400000-0x0000000000678000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/4184-5-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-21-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-11-0x0000000000400000-0x0000000000678000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/4184-10-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-12-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-4-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-13-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-14-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-15-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-7-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-22-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-3-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-29-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-30-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-37-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-38-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4184-45-0x00000000000D0000-0x0000000000152000-memory.dmp

    Filesize

    520KB

    Download