remcos | ce8303ed4e415196bbf250d5e833039ec49a7cd4fadd4ce48f479a3d9810378a | Triage

Sharing

General

Target

d88e3a4ae134eb6f98490c72b24d8a54.zip
Size

882KB
Sample

241126-apj32a1khn
MD5

d88e3a4ae134eb6f98490c72b24d8a54
SHA1

4409d8b8b0d7b6bc380d6770b2777de2bbe1afe4
SHA256

ce8303ed4e415196bbf250d5e833039ec49a7cd4fadd4ce48f479a3d9810378a
SHA512

164692039ecd871d2cf7553cf8fce87d4f37ac4778f6d9bd510ed3fda418736233f61c2a7f137610dac1024dcc0601f753cc9535edc335619d63ce84efe14fe5
SSDEEP

24576:eE9eVMVFJjR54qThd3QQ+Mz1yM8WjsNrXg6Mn81:eE4MN748dgVi1WWmrgdn81

Score

10^/10

remcos oro discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

ORO

C2

noviembre14.ydns.eu:2708

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-J4BNGW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  2580-NOTIFICACIÓN PROCESO JURÍDICO; REF.74002-2024..exe
- Size
  
  1.4MB
- MD5
  
  9131affb1d89d60bf0805a7f33344c96
- SHA1
  
  82b625e578c78ec7ba9dfeb3c92888d94cd53c15
- SHA256
  
  df2d5d5f949066bedfeeb2ed9ec9524c5340ff705081585f3207f464823ca6a6
- SHA512
  
  96e5d6ae9440e151a40da68f2540b80b2e59a8a4976c0c3cb5e41d4b793e813c0a3f7bbc87054b6101af49082533a55d8bfecb3e10aa0485d8a4ce6f1396532f
- SSDEEP
  
  24576:ZoW0nPtRT7etHLvLihCUzA2NfTNTrStsycFr/+GvU2GW9:ZSjT6tXihCUzA2NfTNTrSts9b+GD
Score

10^/10

remcos oro discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosorodiscoverypersistencerat

behavioral2

remcosorodiscoverypersistencerat