remcos | 92adf52b3b33c6520246cb0376c88fc0bc99da5e09a7888df8ca6ef47bee7420 | Triage

Sharing

General

Target

19092024_0058_16092024_Cobro_473152503353937937121882933139460361945218628084381001751848317.pdf.rar
Size

1.2MB
Sample

240919-bbzr1asejb
MD5

b6b51fed21af7ac99fc5a4a9a989b4d1
SHA1

9baf9d272114735a15cd73189c8aa31d2ef1ea32
SHA256

92adf52b3b33c6520246cb0376c88fc0bc99da5e09a7888df8ca6ef47bee7420
SHA512

b10c0ea5dc221667e0eb864355e62c746f43151c78a2e654749e42d3014f6ebdf07e94ece6c496d15357166fec299f2d16a0ae08fe3cc244b8151dc0ae830f67
SSDEEP

24576:1zn5P2CMY6p1IFFQRzOAt1j6IpzjJ8vVSty44tXbrKud0MCK+c1YB3w4csE7:l5PzXs1CFQRaAt1zzjJ89KgFFMc1Ac37

Score

10^/10

remcos vivero2 discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

VIVERO2

C2

viveroelgirasol.com:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
lgs.dat
keylog_flag
false
keylog_folder
WinLog
mouse_option
false
mutex
qwerty2024-GHME8E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Cobro_473152503353937937121882933139460361945218628084381001751848317.pdf.exe
- Size
  
  1.3MB
- MD5
  
  dabb9c34debeb158b87fc305b5b35500
- SHA1
  
  0e1c01d3652652936a13145910273825ac1fdb47
- SHA256
  
  9bad1a9d1124eaaa444e2ed57d9cfaac32448b51aab63474a75aa367b970e75c
- SHA512
  
  ac7fb3346aea79083dce335fb0b8b2d6c674e6dfd119732dd7ba83db076ca02f506b8c92efdc858e4eb2ad6e1e88485f8d673f4cb843f8e9ffce3ad9ad632936
- SSDEEP
  
  24576:CMv/RfK3j6UqPTUHlrzyOxP2rH5QCQgkagp742NA:i7E4HxR2rZ0gkag54n
Score

10^/10

discovery persistence remcos vivero2 rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

remcosvivero2discoverypersistencerat