remcos | df1161ca9eb45bf7679982ea7a5629c89f592c12ae75197ed4cfb39af919b0e6

General

Target

OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe
Size

3.7MB
MD5

5e1610ac721b1358715549d10a64f298
SHA1

3d796a7cba3376f0b0d4ac8b4b225b9ce4882181
SHA256

7a325ea3765b6c64aa01c1efabe53d9829e29c134c76096aa9cdd7c7c7e2874a
SHA512

bdb697c843e7d4ec81d0b831e09ca9b3863d910100675f19727572baaefe9979aae76dedf24c54219411f53ae9ee15ae46c7df95465eda29a916623fc053aace
SSDEEP

49152:zC8nc/DY7yJiS/T9D8Tk6SRdkpvRFpybOtNYPMI3+KzppPTA14DtB7I6aXG:zCv/1RRd8FpybgaEI9a6a2

Score

10^/10

remcos mango discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

MANGO

C2

enero2024.con-ip.com:2005

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
registros
mouse_option
false
mutex
bgdfvcujthdkijagnchgdk-VWA9IM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\SatPCEditor = "C:\\Users\\Admin\\Music\\SatPCUpdater\\SatPCOculus.exe"	OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2524	OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2400	AUDIODG.EXE
Token: 33	2400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2400	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2524	OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2524	1656	OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe	29
PID 1656 wrote to memory of 2524	1656	OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe	29
PID 1656 wrote to memory of 2524	1656	OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe	29
PID 1656 wrote to memory of 2524	1656	OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe	29
PID 1656 wrote to memory of 2524	1656	OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe	29
PID 1656 wrote to memory of 2524	1656	OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe	29

C:\Users\Admin\AppData\Local\Temp\OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe
"C:\Users\Admin\AppData\Local\Temp\OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe
  "C:\Users\Admin\AppData\Local\Temp\OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2524

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

Network

DNS

enero2024.con-ip.com

OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

Remote address:

8.8.8.8:53

Request

enero2024.con-ip.com

IN A

Response

enero2024.con-ip.com

IN A

181.141.41.0
DNS

enero2024.con-ip.com

OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

Remote address:

8.8.8.8:53

Request

enero2024.con-ip.com

IN A

Response
DNS

geoplugin.net

OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Thu, 03 Oct 2024 17:31:31 GMT
server: Apache
content-length: 955
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *

181.141.41.0:2005

enero2024.con-ip.com

OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

2.5kB
644 B
10
13
178.237.33.50:80

http://geoplugin.net/json.gp

http

OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

531 B
2.5kB
10
4

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200

8.8.8.8:53

enero2024.con-ip.com

dns

OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

132 B
148 B
2
2

DNS Request

enero2024.con-ip.com

DNS Request

enero2024.con-ip.com

DNS Response

181.141.41.0
8.8.8.8:53

geoplugin.net

dns

OFICIO N° 00329493234 RADICAL ACCIÓN DE TUTELA 02024-0059.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\registros\registros.dat

Filesize
660B

MD5
feb126a3b4af54122f496c6f2e90981b

SHA1
9b0dae67a60e670a93bdd2fd94125832df34bebc

SHA256
18cee110d5f26414c36c7d0911551da2d6cb3ba1d221ce059a629e66143cf542

SHA512
be44d7297dc90c6cafc2d05cd431713de3fc1ea067e45bef696498df33890becacfd6a51ad4ddc62247fa2038c2df516e9dccb93fdf9c53f1313eab7cbd5a567

Download Submit
memory/1656-32-0x0000000000507000-0x0000000000520000-memory.dmp

Filesize
100KB

Download
memory/1656-3-0x0000000000507000-0x0000000000520000-memory.dmp

Filesize
100KB

Download
memory/1656-2-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/1656-6-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/1656-8-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/1656-7-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/1656-5-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/1656-0-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/1656-14-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/1656-18-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/2524-9-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-29-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-20-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2524-23-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-24-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-25-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-26-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-27-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-13-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-17-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-37-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-38-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-19-0x0000000000400000-0x00000000009BF000-memory.dmp

Filesize
5.7MB

Download
memory/2524-48-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-49-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-56-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-57-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-64-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2524-65-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.