remcos | 01c2b04b600f71e8ddd2c420c0427e82737f241f9c31d0f3ce5c8405ca1e7d67 | Triage

Sharing

General

Target

SENTENCIA DE TUTELA; No.456 RADICADO00746-2024..exe
Size

3.3MB
Sample

241112-sdmnwsvfpf
MD5

123f8bdd76db349ac3efb3d39716932a
SHA1

18f37bfa484dff0b702924b280121e74839f21af
SHA256

01c2b04b600f71e8ddd2c420c0427e82737f241f9c31d0f3ce5c8405ca1e7d67
SHA512

24d7623644076b0ad252f7515d9530a73999ed97009995fb9deef4091a89d2c5b762cb7ada25f52493397258a19eeba00741fbfba88bdf78ac168140adf77e74
SSDEEP

49152:DZHWFTgHsE5n8WjWNCuFd8/1e0EFkFwNUwABWJTXMvI1hcNBPE9B:D9WFTQsEOQEFd8NeomAaT8vJX

Score

10^/10

remcos botella discovery rat

Malware Config

Extracted

Family

remcos

Botnet

BOTELLA

C2

noviembre06.casacam.net:2708

noviembre07.ydns.eu:2708

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VPFO74
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  SENTENCIA DE TUTELA; No.456 RADICADO00746-2024..exe
- Size
  
  3.3MB
- MD5
  
  123f8bdd76db349ac3efb3d39716932a
- SHA1
  
  18f37bfa484dff0b702924b280121e74839f21af
- SHA256
  
  01c2b04b600f71e8ddd2c420c0427e82737f241f9c31d0f3ce5c8405ca1e7d67
- SHA512
  
  24d7623644076b0ad252f7515d9530a73999ed97009995fb9deef4091a89d2c5b762cb7ada25f52493397258a19eeba00741fbfba88bdf78ac168140adf77e74
- SSDEEP
  
  49152:DZHWFTgHsE5n8WjWNCuFd8/1e0EFkFwNUwABWJTXMvI1hcNBPE9B:D9WFTQsEOQEFd8NeomAaT8vJX
Score

10^/10

discovery remcos botella rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosbotelladiscoveryrat