remcos | 702675900bbfaca101c29391fc497066b5649c123f41383a69562a886efd1112 | Triage

Sharing

General

Target

formulario_agendamiento_citas.msi 5
Size

9.4MB
Sample

250117-xleqgazkhw
MD5

e08f4ef0a8695fb151e2af8e54bd2344
SHA1

a399a4c848148af77f9f75ec4e8d3688009ba2cf
SHA256

702675900bbfaca101c29391fc497066b5649c123f41383a69562a886efd1112
SHA512

6a3fe318de56195912563fdb2516a1f7f9ffec3a03043e6131a93a89eb45d5aff526b23d82e005894a316bd07d70295c49f893932d6d20dee44f5cf054f3d23a
SSDEEP

196608:fS904j9o9QA4SH3cKSXf4eOrIZ9bnF/dMT5zLy45TH7xtino:i04RoDNH3cKSP4eOriJF1MFzLyybxt

Score

10^/10

remcos octubre 31 muchacha discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

OCTUBRE 31 MUCHACHA

C2

imaxatmonk.imaxatmonk.com:2204

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Acobatlg.exe
copy_folder
edqelofh
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
elecvac
mouse_option
false
mutex
prointerca-JFYAH7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  formulario_agendamiento_citas.msi 5
- Size
  
  9.4MB
- MD5
  
  e08f4ef0a8695fb151e2af8e54bd2344
- SHA1
  
  a399a4c848148af77f9f75ec4e8d3688009ba2cf
- SHA256
  
  702675900bbfaca101c29391fc497066b5649c123f41383a69562a886efd1112
- SHA512
  
  6a3fe318de56195912563fdb2516a1f7f9ffec3a03043e6131a93a89eb45d5aff526b23d82e005894a316bd07d70295c49f893932d6d20dee44f5cf054f3d23a
- SSDEEP
  
  196608:fS904j9o9QA4SH3cKSXf4eOrIZ9bnF/dMT5zLy45TH7xtino:i04RoDNH3cKSP4eOriJF1MFzLyybxt
Score

10^/10

remcos octubre 31 muchacha discovery persistence privilege_escalation rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosoctubre 31 muchachadiscoverypersistenceprivilege_escalationrat