Overview

overview

10

Static

static

3

PORTAFOLIO...CT.exe

windows7-x64

10

PORTAFOLIO...CT.exe

windows10-2004-x64

10

PORTAFOLIO...CT.exe

windows7-x64

3

PORTAFOLIO...CT.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    81cd20986cf64db5433eff8750449e847c7d327a8493b4dee1af9cb51b21d3e8

  • Size

    1.7MB

  • Sample

    241018-2px4favbkp

  • MD5

    716b706b034119e09561cf9aaaa4b7b5

  • SHA1

    30480014c1a1a9eb749e1b7d80cfd72e15b52a5b

  • SHA256

    81cd20986cf64db5433eff8750449e847c7d327a8493b4dee1af9cb51b21d3e8

  • SHA512

    91da29ca19b3d41f41b5dadd3098cf04ac303b2844bc65a24a37c41621f4404cca70b8455f3693a8e6b4e8aa2c02a541102520f8fd7a6af3da3180bf2d6b9aa0

  • SSDEEP

    24576:9zTuNAz2rJ6zYYGm1LCi//zTg+CItzlsYx7UafJebNGJr3aog45cGldg+8kFetbS:Zvnf4Itz2SUsEbAjaZ45cG8seTA

Score
10/10
remcosratonzonidodiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RATON

C2

newtestdn.dns.army:1700

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    registros.dat

  • keylog_flag

    false

  • keylog_folder

    datos

  • mouse_option

    false

  • mutex

    hbdggdmmmskbsciihcjh-VVGXL8

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Capturas de pantalla

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

ZONIDO

C2

mercedez0232.ydns.eu:1831

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    asfddfsdfd

  • mouse_option

    false

  • mutex

    sdfdsfrdddss-8XLQWT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      PORTAFOLIO PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT/DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe

    • Size

      4.0MB

    • MD5

      6358b60b9e07fb80b705ec024e5e3fe9

    • SHA1

      0af3b32f03055623e89036885952a398dd897252

    • SHA256

      6272c72c830630f76aac92c2ad13e3f601aa7752e13d8713e150511754097eaa

    • SHA512

      65fe12720f0dc375925a077dc7a7bacf2297ac7c957cbec9788f5c5b411f92529ba96b725d1214ac321e4ef326f4f9f9140bb497255498c03626df548a025915

    • SSDEEP

      49152:HWGtLBcXq5IR6SVb8kq4pgquLMMji4NYxtJpkxhGjIKTbZB333zvm6t7holsw7W:ptLuYqgwh4NYxtJpkxhGxB333roJW

    Score
    10/10
    remcosratondiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      PORTAFOLIO PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT/OFICIO 0004949543 CANCELACIÓN DE CONTRATO 18 DE OCT.exe

    • Size

      695KB

    • MD5

      f621bcc81502beb71cfc6cb277f541d7

    • SHA1

      899d5a8bde60177a5ead87c999f79ee1076592e3

    • SHA256

      1ee61e9cb3034a6229ff3975ae8c871047afcc0e9e4b21f19a9198e463ae62c2

    • SHA512

      84514718bfc367c1a23c7dcafae2df45055d0f3001340740f1415cd6911f71d3b7a064d853c38d50e3ca774bc3221a72960f878922d2d7477eb7cfac1de5191d

    • SSDEEP

      12288:rZeZi1X5Ni3O32PaxC119ebmiOZgIu0dFnbA:88i+3LK3eIu0dFnbA

    Score
    10/10
    discoveryremcoszonidorat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks