remcos | 8d91d9c2ffaa42160c19fc80b827681d34f9309352dbb7631225765eb7e7b420 | Triage

Sharing

General

Target

COMUNICADO TRIBUNAL ADMINISTRATIVO DE CUNDINAMARCA DEMANDA ACTIVA REF 004599KSDFKKD.tar
Size

39KB
Sample

240930-wjtk6ssbqd
MD5

7b22e6d2f88feb1c17d0c363a2371787
SHA1

cbe4f1de5f4e222b8572640557ec5d9a47dc0e55
SHA256

8d91d9c2ffaa42160c19fc80b827681d34f9309352dbb7631225765eb7e7b420
SHA512

90ed1ca263d24a2d90605639cb626aea3a3411fbf8ce2e81cc915d492ebc0be163e431112cb91bc65bff748d5072a86d1f1db7f299d8ca152da523caa02eaf34
SSDEEP

768:fhTREeqOCIev159Qkx4n0OuEHhXc8VvfPN0wutD5rgqjx4yquo4Jz:NR8OC5wkJAhXBVHPN0wuF5Mryqub

Score

10^/10

remcos nuevos2 discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

NUEVOS2

C2

mietras90.con-ip.com:1835

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
DASSGF
mouse_option
false
mutex
JDSJFJDJFKDS-EF5ROI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  COMUNICADO TRIBUNAL ADMINISTRATIVO DE CUNDINAMARCA DEMANDA ACTIVA REF 004599KSDFKKD.exe
- Size
  
  164KB
- MD5
  
  75d2548cd9f4948e12ceb88e1983d649
- SHA1
  
  445d8255b03a705149bf729e53227c057f7be7c5
- SHA256
  
  57dd9fdd4a1fa799d2136349024e9ccf2ecb78e69ca2a9c98b6321d09f4161b0
- SHA512
  
  11b36fa14b30293136c84475b2a1335b59696bf3f337cd090b1de635a6e20daa5b742ca2b5e54fb553be749082ebc6ffd5569fe8116d0431b17f54a3fae6a0be
- SSDEEP
  
  1536:f0JnSp1HzoN3423mVxWaopvLJR0SEZfbF7AmxrN7Ao6xhx:xod3myasRKfbFkukoC
Score

10^/10

discovery remcos nuevos2 persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosnuevos2discoverypersistencerat