remcos | 655ef27473af7fb8afe029b55d63183b70acc909f3fea4ced2e939f4b24deecb

General

Target

Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe
Size

2.8MB
MD5

b4e6c9db13a14697cb9eb9ef5f2c27c2
SHA1

1015229197790844ed149e1c3066647016299163
SHA256

68c75ba3fb131fa8d015169c3dd717f1b79cf2688fe87c87695ba9e04df87695
SHA512

bb9920b1fa19a6bdb616a70526e3eb5090b4225394ac2c3858237d2746b304e15273dee5b10166417924acc38d65ab009243c8bab47aeacff3024d71cc919b0a
SSDEEP

49152:1TJvoJ67eQD9rSlwthuDZzjz4YVw/ehjzEWZ80sgQOvfRmEmNixi43:1TJvn1udzjz4YPhXEWGDAiq

Score

10^/10

remcos burocracia discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

BUROCRACIA

C2

solumintir.duckdns.org:1994

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NCJKEB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PatrolDesignerEditor = "C:\\Users\\Admin\\Music\\PatrolDesignerUpdater\\PatrolConvertVideo.exeԀ"	Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3344	Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 3344	3608	Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe	96
PID 3608 wrote to memory of 3344	3608	Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe	96
PID 3608 wrote to memory of 3344	3608	Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe	96
PID 3608 wrote to memory of 3344	3608	Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe	96
PID 3608 wrote to memory of 3344	3608	Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe	96

C:\Users\Admin\AppData\Local\Temp\Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe
  "C:\Users\Admin\AppData\Local\Temp\Nro. de comprobante 0000062221 TRANSAFERENCIA OCTUBRE 21 DE 2024.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
f2289e5cbea3e8ba3983375bbb379372

SHA1
b94ab6a5ad1c2cda3d71fdbf7f9fb2d21e7fcf74

SHA256
464a5c244413f2ae2bf318a66522042ee038adb90cc3caa5d485cd56643e1bcd

SHA512
b2a88bd9e98700519360a7c4116f80a3faaccadb805e70592fc868e75b651d6b6191b35b497e39ce7fd70ce0ab21aa970d80af04ff122afe7a4865d4b09308d4

Download Submit
memory/3344-16-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-43-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-67-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-7-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-19-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-12-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-66-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-13-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-59-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-17-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/3344-58-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-18-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-42-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-34-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-11-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-20-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-21-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-27-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3344-26-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/3608-24-0x0000000000409000-0x0000000000421000-memory.dmp

Filesize
96KB

Download
memory/3608-0-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/3608-4-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/3608-3-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/3608-5-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/3608-6-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/3608-10-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/3608-1-0x0000000000409000-0x0000000000421000-memory.dmp

Filesize
96KB

Download
memory/3608-8-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads