remcos | 2d7f235edfdbb770492b966fbefe50b3f98bf5dd8b4427ca7ac06f45ce019d97 | Triage

Sharing

General

Target

03102024_0439_02102024_Cobro_876634226701191038128011582367096095686646340584195296708193218.rar
Size

1.4MB
Sample

241003-fad65averq
MD5

67a0830b3b3414fa2277094286f8fcf8
SHA1

554a9f2ef9cc5b907c75f22edf844bb476ba1127
SHA256

2d7f235edfdbb770492b966fbefe50b3f98bf5dd8b4427ca7ac06f45ce019d97
SHA512

3fd36ee0a3146b3ad37eacca5ef794cb5423919b213963653aff44b125e8e0d37bc3741f64d14b876b8445ebacfc0d334c8fe27ade0927e5189651b1649a3384
SSDEEP

24576:lMvWYxLYwUqm0Ved+mMUMFfQ5oKAC69JkzuHXdZBNPL6RsdFNadIiQHbcGFGzbxV:uHxLYwXmhMFf3JlHYcZLPLrdFDZPU

Score

10^/10

remcos vivero2 discovery evasion persistence rat

Malware Config

Extracted

Family

remcos

Botnet

VIVERO2

C2

viveroelgirasol.com:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
lgs.dat
keylog_flag
false
keylog_folder
WinLog
mouse_option
false
mutex
qwerty2024-GHME8E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Cobro_876634226701191038128011582367096095686646340584195296708193218.bat
- Size
  
  1.8MB
- MD5
  
  1698e898da21c028d3bfc61cbf0904aa
- SHA1
  
  acd1043cec76eacee19eb78b37b4a0624bc350f3
- SHA256
  
  075e65d20779e5ffdbe58f96c3639d6a6db830c41e100e68e0d45361ee2cc099
- SHA512
  
  466baec151eb73eeebe4b92a15b0046035019d19da9a7236d5d5e409ed61dd95469aed729eeb37eaab0bf905d5360bffd0b83975c3f5709888e10dd4ff401f61
- SSDEEP
  
  24576:Gyc27ntMASfw1Tr0s3OoF3A+HcA0uuSpYFIgu9k/gnJyi2QvqxspBVskiXLf5:dtwQYs+M3N8A0ud79yS92QvqNt
Score

10^/10

discovery evasion remcos vivero2 persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasion

behavioral2

remcosvivero2discoveryevasionpersistencerat