remcos | cc0244b4c258e97fbf0b8f502294162e664a37258c9ece4c7643568d62c033ce | Triage

Sharing

General

Target

formulario_agendamiento_citas.msi 2
Size

9.0MB
Sample

250117-xknxrazkgt
MD5

b9f79ee9ec0f51e63b1ac46c20219654
SHA1

9f0633a95a0c82753967aa767e60c0e06ecf9e51
SHA256

cc0244b4c258e97fbf0b8f502294162e664a37258c9ece4c7643568d62c033ce
SHA512

36833b0f690a4fdbb27c91ef875d7e1685ee81c4bf910501c6f23dcb138c395dcfbaca6b415f82a9a21fed370bfc72825b3c9d329d5ecab77b44cb34882292e0
SSDEEP

196608:cmNuMO+3noWOAZml68MnJ6tdGeHzpNTxlSWtnngXdpikdFn2zBsBaS6e4xI3VpsB:9n/3oWdZml9nngV3n2zm4JVz

Score

10^/10

remcos noviembre 07 muchacha discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

NOVIEMBRE 07 MUCHACHA

C2

imaxatmonk.imaxatmonk.com:2204

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Acobatlg.exe
copy_folder
edqelofh
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rochilds
mouse_option
false
mutex
gesinfrapr-6YDCRB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  formulario_agendamiento_citas.msi 2
- Size
  
  9.0MB
- MD5
  
  b9f79ee9ec0f51e63b1ac46c20219654
- SHA1
  
  9f0633a95a0c82753967aa767e60c0e06ecf9e51
- SHA256
  
  cc0244b4c258e97fbf0b8f502294162e664a37258c9ece4c7643568d62c033ce
- SHA512
  
  36833b0f690a4fdbb27c91ef875d7e1685ee81c4bf910501c6f23dcb138c395dcfbaca6b415f82a9a21fed370bfc72825b3c9d329d5ecab77b44cb34882292e0
- SSDEEP
  
  196608:cmNuMO+3noWOAZml68MnJ6tdGeHzpNTxlSWtnngXdpikdFn2zBsBaS6e4xI3VpsB:9n/3oWdZml9nngV3n2zm4JVz
Score

10^/10

remcos noviembre 07 muchacha discovery persistence privilege_escalation rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosnoviembre 07 muchachadiscoverypersistenceprivilege_escalationrat