Overview

overview

10

Static

static

3

En este se... T.exe

windows7-x64

10

En este se... T.exe

windows10-2004-x64

10

Por medio ...ec.exe

windows7-x64

6

Por medio ...ec.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito T.exe

  • Size

    6.1MB

  • MD5

    2cede2aef03d4436cac510971c604d10

  • SHA1

    1454f28eaf7deb3b33bc9e4beed261f935c2451a

  • SHA256

    ac93bb754026e02ece7eb0ac015605b6b7e9e6fa1526def22a4bb3e34569ec59

  • SHA512

    808d06c5a7b78ff8ea90ecbb4bfa8f3e1bce0b697736b877860e805521668020af51a479547db7b88f5acb6d5fde43b1579b539ef705a9bfa7d9b7a1d32de91c

  • SSDEEP

    196608:N8QTH4OwL4MBQqus0YkuwYMfiUB5NdBD8R3ZZOR:N80H4OwLZBPus0YkuwYMfiUB5NvD03Z6

Score
10/10
remcosblancodiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

BLANCO

C2

camino9938.strangled.net:3018

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    registros.dat

  • keylog_flag

    false

  • keylog_folder

    data

  • mouse_option

    false

  • mutex

    nhfkkasivbijkewflivlikewf-LIQNJX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Capturas de pantalla

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito T.exe
    "C:\Users\Admin\AppData\Local\Temp\En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito T.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Local\Temp\En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito T.exe
      "C:\Users\Admin\AppData\Local\Temp\En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito T.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\data\registros.dat
    Filesize

    184B

    MD5

    aac3e3bef869593d88bb77cea33c8c3f

    SHA1

    5c7c9a97744a6e8b2f02d9fc948cddc2f9165d73

    SHA256

    2ee1c24cde886aa31218e770fe5f2867cc5921a496afdd5e0fdf6be1b503707e

    SHA512

    23b25899b90dbaf1dec5bcc4be69bb8e9a311263d69b0b8f3ce4483c7e7cef806336d888ab84ab552c049a24968c68a3f048092bfe63b620672c24cfc542d6f4

    Download Submit

  • memory/1272-43-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-59-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-20-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-12-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-80-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-79-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-41-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-76-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-21-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-74-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-44-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-73-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-71-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1272-8-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-70-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-69-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-26-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-27-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-28-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-29-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-31-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-32-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-33-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-34-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-35-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-37-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-38-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-39-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-40-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-77-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-75-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-68-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-45-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-46-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-47-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-49-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-50-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-51-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-52-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-53-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-24-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-55-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-56-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-57-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-58-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-25-0x0000000000400000-0x0000000000A49000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1272-61-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-62-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-63-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-64-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-65-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1272-67-0x00000000001C0000-0x000000000023F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1628-18-0x0000000000400000-0x0000000000A49000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1628-7-0x0000000000400000-0x0000000000A49000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1628-15-0x000000000041E000-0x0000000000437000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1628-16-0x00000000009E1000-0x00000000009EB000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1628-17-0x0000000000400000-0x0000000000A49000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1628-6-0x0000000000400000-0x0000000000A49000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1628-5-0x0000000000400000-0x0000000000A49000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1628-4-0x0000000000400000-0x0000000000A49000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1628-1-0x0000000000400000-0x0000000000A49000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1628-2-0x000000000041E000-0x0000000000437000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1628-0-0x0000000000400000-0x0000000000A49000-memory.dmp

    Filesize

    6.3MB

    Download