Overview

overview

10

Static

static

3

INFORME C...RE.exe

windows7-x64

10

INFORME C...RE.exe

windows10-2004-x64

10

INFORME C...RE.exe

windows7-x64

3

INFORME C...RE.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    46fb3e0957a29ee2e6463b64930eabb9ba8949c7d2395111463be8a3a8752c19

  • Size

    1.7MB

  • Sample

    241021-zj9tyavgjb

  • MD5

    d50fdace9caa85ff5d4d4441a46b834e

  • SHA1

    88d0baa220ff1f8d96a86925cad326c9e4e9ec50

  • SHA256

    46fb3e0957a29ee2e6463b64930eabb9ba8949c7d2395111463be8a3a8752c19

  • SHA512

    2c14a62ce361ceb7a7f79ce11378a7a6de538d1ea612597ded8f56ec08ce37ccffcf8887f7fe02c646124a58c2835bd84ed9563955b762a3a7a40a67eda87a13

  • SSDEEP

    49152:+zaxKrxC+N/dthgukmga7sXM4vZDhbcbbiZ0dB:+uMbNHhgukZj1abbw0dB

Score
10/10
remcosratondiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RATON

C2

newtestdn.dns.army:1700

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    registros.dat

  • keylog_flag

    false

  • keylog_folder

    datos

  • mouse_option

    false

  • mutex

    hbdggdmmmskbsciihcjh-VVGXL8

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Capturas de pantalla

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      INFORME COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE/DOC 000239843 COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe

    • Size

      4.0MB

    • MD5

      6358b60b9e07fb80b705ec024e5e3fe9

    • SHA1

      0af3b32f03055623e89036885952a398dd897252

    • SHA256

      6272c72c830630f76aac92c2ad13e3f601aa7752e13d8713e150511754097eaa

    • SHA512

      65fe12720f0dc375925a077dc7a7bacf2297ac7c957cbec9788f5c5b411f92529ba96b725d1214ac321e4ef326f4f9f9140bb497255498c03626df548a025915

    • SSDEEP

      49152:HWGtLBcXq5IR6SVb8kq4pgquLMMji4NYxtJpkxhGjIKTbZB333zvm6t7holsw7W:ptLuYqgwh4NYxtJpkxhGxB333roJW

    Score
    10/10
    remcosratondiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      INFORME COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE/OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe

    • Size

      695KB

    • MD5

      f621bcc81502beb71cfc6cb277f541d7

    • SHA1

      899d5a8bde60177a5ead87c999f79ee1076592e3

    • SHA256

      1ee61e9cb3034a6229ff3975ae8c871047afcc0e9e4b21f19a9198e463ae62c2

    • SHA512

      84514718bfc367c1a23c7dcafae2df45055d0f3001340740f1415cd6911f71d3b7a064d853c38d50e3ca774bc3221a72960f878922d2d7477eb7cfac1de5191d

    • SSDEEP

      12288:rZeZi1X5Ni3O32PaxC119ebmiOZgIu0dFnbA:88i+3LK3eIu0dFnbA

    Score
    10/10
    discovery

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks