Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11-09-2024 17:50
General
-
Target
ARCHIVO TRANSACCIONAL No 87654756347657898997654347658900.exe
-
Size
3.8MB
-
MD5
cf0d816acec45f16397b4ebf0c32cac7
-
SHA1
a58750f37c6a88f89d1f5d2789811d24249480e0
-
SHA256
ae2d51f8430d85f56521e2445d8b01e6413ddf1a24685ac5aa3ca84ddaabc425
-
SHA512
f092cea4a71cf22e7361b1d6d2ccb5772b7f347ec8d2ce3b9d428b636d76844ab44cd28a8a393ee76b353b352888e03b1785bfcbbbcdef56a536ea8278384005
-
SSDEEP
98304:h3x3FJ58yNV78P06ZKlCOQhrAMSVV+uKIqKZCoErQ:h31H5nUICDNuKIqKW
Malware Config
Extracted
remcos
UBANCOL
juanruizpu1405.con-ip.com:1668
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-OWARH1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ARCHIVO TRANSACCIONAL No 87654756347657898997654347658900.exe"C:\Users\Admin\AppData\Local\Temp\ARCHIVO TRANSACCIONAL No 87654756347657898997654347658900.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ARCHIVO TRANSACCIONAL No 87654756347657898997654347658900.exe"C:\Users\Admin\AppData\Local\Temp\ARCHIVO TRANSACCIONAL No 87654756347657898997654347658900.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD5ce91f31f029d335e116c0ff9f2dbe8dd
SHA1f4c715d103cfd720d928e67429b97c1b4252012b
SHA25672bdf5382f5e14dfa33b74013428a5317c00f76a5eb14b7b8122a7dd8b5af218
SHA51260e9c5f3df618b8f9605f4e365194d7d995a4040056bbb69d129b2431371f1ad68f5b406002689c6921cf93a63827f9b5ae268c36442579aa6365fb6b306d823
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
3.8MB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
3.8MB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB