remcos

General

Target

0e0a8b12919fc83f031046cfe5913d4b.uue
Size

1.5MB
Sample

241112-zj9tya1dlr
MD5

0e0a8b12919fc83f031046cfe5913d4b
SHA1

948ed2e3dfeecfb6b979cc12474b62a3c3019ec2
SHA256

05751052592fab25c82ce4b951283c1c98f6c430c0414c128b01a385f198bd15
SHA512

b9567791df7a825d1ea9b2b87298531586d8d87e63e2c7013bef19530038df576e0d8c53586eb0c728d85cfe0d36f422869a2792c3e891eba81a4c2827657d4c
SSDEEP

49152:EeAJkHNIbZDWuJb0Rcz6m6cM+b4nE5SOEf:EeASybAM+cM+bvgOEf

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f

exe.dropper

https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f

Extracted

Family

remcos

Botnet

Vps

C2

barrioantioquia.webredirect.org:6090

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
datos
mouse_option
false
mutex
Rmc-PGBZ6D
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito Tercero (3ro) Penal de Cundinamarca, a más tardar el 12 de noviembre de 2024..bat
- Size
  
  210KB
- MD5
  
  ed413cc9ec12454b62e10a58bb2e4213
- SHA1
  
  a027ce72c41eb753d1e275eb955ddf8b323a84de
- SHA256
  
  81fe1c16a0c91c2ce2b997dfa0d6c3ecb03af6a9494024d273b902b2f088ca6e
- SHA512
  
  7ff5eb191033f5770f180ab3111fe6402cc9ac71540c6a6eda2b32e50a57e5b267a7006ce45f82b8e578962a5a2b7a605eda8cb525430fe889b4d941dd11f9cf
- SSDEEP
  
  6144:vZ5PFlZSyyiQNfwJIJ9wNfX3T7jVrDjDb7bLw8:B
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral1 behavioral2
- Target
  
  Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejecutado por el Juzgado Tercero (3ro) Penal de Cundinamarca Especializado en Aseguramiento Penal a las Víctimas.exe
- Size
  
  4.2MB
- MD5
  
  f99a4d8ef451335fdfa3a7598b84317e
- SHA1
  
  06b4e9ef430633497353deafedf4d1d17fe4a8b7
- SHA256
  
  20283604db26efb7ee25bf2afb9ca5be37b0e99ad1347eb8db4edc54ae77ed39
- SHA512
  
  77465ff763d3ba6865d2ac68443796349aa7b0d36bfc8534e0825ea01b3a155a5f25e9459f32fcd9eead2086fb6e84c74139200645538958a214fd3dc3cdd619
- SSDEEP
  
  49152:vR28UtN5sFBCJdJE2dNzk6YUiKYCuOpHoG4HLL0nsq59dXuq0SVycr2AfT3XsjFb:ToICJA2fDl2hOpHoxrYnsq9mWY
Score

10^/10

remcos vps discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds Run key to start application
  persistence
behavioral3 behavioral4