Overview

overview

10

Static

static

3

Comunicado...87.exe

windows7-x64

10

Comunicado...87.exe

windows10-2004-x64

10

Comunicado...87.exe

windows7-x64

3

Comunicado...87.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    41dc561d9c32e58dcc94f823eb6c21f0.tar

  • Size

    3.3MB

  • Sample

    241115-w1gmyazarn

  • MD5

    41dc561d9c32e58dcc94f823eb6c21f0

  • SHA1

    59482d930af6715d5b98c5a2a1bfb5d703dbd5bb

  • SHA256

    66b7d6a454320a3f7f9cae8910c0ea2824075536b689635417d79b022a1d933c

  • SHA512

    bd03a3adca8294322a92bdbcce53cdcc3e4e8edd48fcd97dfbba8a06e3c8e36e11be7966dd865e60d312b66cc23b1c30c8edfc78700c96ea7a2fa1e61d1bc6d3

  • SSDEEP

    98304:lfqQdtSn7BTTVT1GSulcPCfN1qsMeNKm5cClcmu+JRGPo:lzdQntv+lc0MuVlc5+LGw

Score
10/10
remcostresdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

tres

C2

quemaryamismo.remoteip.org:3018

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    registros.dat

  • keylog_flag

    false

  • keylog_folder

    data

  • mouse_option

    false

  • mutex

    Rmc-3EX2ER

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Capturas de pantalla

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Comunicado Judicial Proferido del Código penal. Articulo 287/Doc 0020939 Judicial Proferido del Código penal. Articulo 287.exe

    • Size

      7.1MB

    • MD5

      0a5c3249648c609a87d0d8c38fa8826d

    • SHA1

      f49c0a731e9d627c5443034f6a77bca69ca123df

    • SHA256

      abe817679db4a53795bf54aa1d2ac9f01667e715557fd4d4fe9c50bbea7024a2

    • SHA512

      4cb39a38b0507d37a1d644151c5e97d5462cc1b87a8f23cba1b1d1603fe9829353b13c63a4390985b0d97092abbac5a27152f9a209290267f0890c6f0304c052

    • SSDEEP

      98304:VS55YSKvY2YjVY6SXdmWa1jWhAurNLX+Wout8PwFoCjktF5ut8b9VgK2J0bSvI:VS8SGxYjVY6SXEWaKLLX+qGb9VgK2JMJ

    Score
    10/10
    remcostresdiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      Comunicado Judicial Proferido del Código penal. Articulo 287/Oficio Judicial Proferido del Código penal. Articulo 287.exe

    • Size

      3.3MB

    • MD5

      ad99305ad18406a8b71c8c5ed39964cd

    • SHA1

      cb491af5054798d83567e904032da7e61c29de31

    • SHA256

      5f4b7ad2a652a53de76f0278d01129be79ee9b6b8c99c18b5249a073f47f0a9d

    • SHA512

      88488e580b60f2c9681f96734518a79837985c9c2b4ec47e2505304ab70f58063ee79a6e152edad97066f56782f19b2e71f0e2189256f41c91071ff221ee3367

    • SSDEEP

      24576:OIhdJeLdstdSQIFKhEb/XjpygFVYIvBS2+PuaRNnaXhBi6eWrLg:JJeLduUBS2CUvi6eWrc

    Score
    10/10
    discovery

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks