remcos | 1d0c839f62d4bba569a80e880014eb6a8613ffc954c86e52a3312ea2ddd65813

Analysis

max time kernel
135s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Portaflio Prioritario - Informe de Robo 21 de Octubre/Consolidado Prioritario - Informe de Robo 21 de Octubre.exe
Size

130KB
MD5

5af3ce90fc3fa5c03a2e45b20667c285
SHA1

4a4926267eda634af0c47b2b1e1c53bb159d0ea0
SHA256

9f804739f1168e139d5cbc1a66dc2c3f858d626274d5c0e25b60c9547782b5e9
SHA512

34ceeef28316fbbb228f63ac63044de5c154ab694189063ce961260327ab9c8701be9622356aa1eca275062ff11b74a20997418a6231b406c935543a0ebf9e05
SSDEEP

1536:0hZKhinXt1nnXdIKREzLsY9bBFDEqrfURuwncv+xk89sY7VCpEqBOQ9Xmf0Zh+E+:ywyvdIKREzLdnG8Eh8Xmf0ZgvbR

Score

10^/10

remcos rosas discovery rat

Malware Config

Extracted

Family

remcos

Botnet

rosas

pruebaoctubrenuevo.ydns.eu:3018

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
datos
mouse_option
false
mutex
mkfhndhytdhjualcyyrfw-1E1OP0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3192 created 3388	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	56

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegisteredChannels.vbs	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3192 set thread context of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	InstallUtil.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe
Token: SeDebugPrivilege	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2596	InstallUtil.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 3192 wrote to memory of 2596	3192	Consolidado Prioritario - Informe de Robo 21 de Octubre.exe	94
PID 2596 wrote to memory of 3624	2596	InstallUtil.exe	103
PID 2596 wrote to memory of 3624	2596	InstallUtil.exe	103
PID 2596 wrote to memory of 3624	2596	InstallUtil.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\Portaflio Prioritario - Informe de Robo 21 de Octubre\Consolidado Prioritario - Informe de Robo 21 de Octubre.exe
  "C:\Users\Admin\AppData\Local\Temp\Portaflio Prioritario - Informe de Robo 21 de Octubre\Consolidado Prioritario - Informe de Robo 21 de Octubre.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vzmtikqxevrexxgv.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\datos\registros.dat

Filesize
184B

MD5
23edc6810716c5f3e848d5077f88cb3c

SHA1
d15056f6c752de36bb9733d8ee0507ce6f414969

SHA256
33be94ecebba20340a7f7498deb290908797aba3edda20f2afba9310cef943f9

SHA512
f4ff9ee1d73c03f7261eac783cd887292da55d12dcf4082a987a78a7c753f6775a4359c95b2ee7752e3623aa55b7cf25d7b344e2d55982a078c344bf6b984e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzmtikqxevrexxgv.vbs

Filesize
382B

MD5
3db952c728fab3baa68a61db75d074c8

SHA1
67f61b864fe60acee701cea9cb65469395ff8f30

SHA256
b1860633c96be2e60353cf76801c6ea53df1761af69383337b297487748a044b

SHA512
a1046e6de280772b293d7f4bb1afd2729d0f435265591ed3e3861607ab8366176e3d53b1a1b628d1adaa396475d6612ea8531ee593198e9ac99d1f5d5bbecea1

Download Submit
memory/2596-1100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2596-1110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2596-1134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3192-43-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-69-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-2-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3192-3-0x0000000006370000-0x0000000006494000-memory.dmp

Filesize
1.1MB

Download
memory/3192-4-0x0000000006A60000-0x0000000007004000-memory.dmp

Filesize
5.6MB

Download
memory/3192-5-0x00000000065B0000-0x0000000006642000-memory.dmp

Filesize
584KB

Download
memory/3192-6-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-25-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-57-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-37-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-39-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-67-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-65-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-61-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-59-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-55-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-53-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-51-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-49-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-47-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-45-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/3192-1-0x00000000006D0000-0x00000000006F6000-memory.dmp

Filesize
152KB

Download
memory/3192-41-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-63-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-35-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-33-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-31-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-29-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-27-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-23-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-21-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-19-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-15-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-13-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-17-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-9-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-7-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-11-0x0000000006370000-0x000000000648F000-memory.dmp

Filesize
1.1MB

Download
memory/3192-1080-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3192-1081-0x00000000066C0000-0x0000000006758000-memory.dmp

Filesize
608KB

Download
memory/3192-1082-0x0000000006790000-0x00000000067DC000-memory.dmp

Filesize
304KB

Download
memory/3192-1083-0x00000000067E0000-0x0000000006834000-memory.dmp

Filesize
336KB

Download
memory/3192-1087-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3192-1088-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/3192-1091-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3192-1090-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3192-1101-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download