remcos | 8ace9806930d834c52013f9c58246b45a44381be51c1c53c0e2a5da5adc29a05 | Triage

Sharing

General

Target

u.msi
Size

5.7MB
Sample

250127-txps2axqbp
MD5

f16fddbeda16868ac7935725201c6321
SHA1

6775c120e9607753c83a58006cc435149d2dba91
SHA256

8ace9806930d834c52013f9c58246b45a44381be51c1c53c0e2a5da5adc29a05
SHA512

8cff853d33004c0178b433058cdbf3e7c2dc45c9e00e6704839ff811ca0b8ff49561d44e140b4c311b5620e33f0c9be5ee86404dc6d4608eebf55c87d80dbce5
SSDEEP

98304:WRMYywIk8aXRK6SYAEgrrm5OT24gNVOyj7eo76vS6q4we36MxisVYaA7F4t:ycPc86SvbmAMU1S6q49j0sVZA4t

Score

10^/10

remcos enero 20 muchacha discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

ENERO 20 MUCHACHA

C2

restaurantes.pizzafshaioin.info:5508

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
coimostoda
mouse_option
false
mutex
neocivasne-F0VOCL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  u.msi
- Size
  
  5.7MB
- MD5
  
  f16fddbeda16868ac7935725201c6321
- SHA1
  
  6775c120e9607753c83a58006cc435149d2dba91
- SHA256
  
  8ace9806930d834c52013f9c58246b45a44381be51c1c53c0e2a5da5adc29a05
- SHA512
  
  8cff853d33004c0178b433058cdbf3e7c2dc45c9e00e6704839ff811ca0b8ff49561d44e140b4c311b5620e33f0c9be5ee86404dc6d4608eebf55c87d80dbce5
- SSDEEP
  
  98304:WRMYywIk8aXRK6SYAEgrrm5OT24gNVOyj7eo76vS6q4we36MxisVYaA7F4t:ycPc86SvbmAMU1S6q49j0sVZA4t
Score

10^/10

remcos enero 20 muchacha discovery persistence privilege_escalation rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosenero 20 muchachadiscoverypersistenceprivilege_escalationrat

behavioral2

remcosenero 20 muchachadiscoverypersistenceprivilege_escalationrat