Overview

overview

10

Static

static

3

Cotización.exe

windows7-x64

10

Cotización.exe

windows10-2004-x64

10

tier0_s64.dll

windows7-x64

1

tier0_s64.dll

windows10-2004-x64

1

vcruntime210.dll

windows7-x64

1

vcruntime210.dll

windows10-2004-x64

1

vcruntime211.dll

windows7-x64

1

vcruntime211.dll

windows10-2004-x64

1

vstdlib_s64.dll

windows7-x64

10

vstdlib_s64.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bad948017a4001a3e9a82fd53bfddb4fd9ddeba4a03eae6aa71a48f3eb69eaad.rar

  • Size

    5.2MB

  • Sample

    250201-d66j5s1rcz

  • MD5

    24d769901d3c7c85cf4448ad413a7adf

  • SHA1

    55249296cceea7f912bafa49cf01b90697d8b5c3

  • SHA256

    bad948017a4001a3e9a82fd53bfddb4fd9ddeba4a03eae6aa71a48f3eb69eaad

  • SHA512

    bafa966cfd998fe44b744a8f371eeb9b9ce116f84f4d68c31488c8323bd051e3200049cd0b16550707956f293a538938440a2ff19294edf3d99dd378b5c999c3

  • SSDEEP

    98304:/YTqCj/I7w0lNRCwET30H9wxMYIU7RHyeYr6EQqUnMJok2B1IHucCjIARy/2nNh3:/YTq60XES9KArRQqUnMOk2BTFy2nNN

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

2.58.56.182:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GM05WY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Cotización.exe

    • Size

      633KB

    • MD5

      a3d33d33f8b10595c252ee8e61a8892c

    • SHA1

      f8bf529297b99ebdd0d6214a1a8a20bffb1bd875

    • SHA256

      fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1

    • SHA512

      5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0

    • SSDEEP

      6144:pe3DUlId51RnG/LXJKIA5ZaPLi+bWVSBKtnfuvOVYER0u+GIIIIIIIhIIIIIIIIB:M3DkId5HnWLXMJABWVbnf/Vjm5a/s

    Score
    10/10
    remcosremotehostdiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      tier0_s64.dll

    • Size

      410KB

    • MD5

      328655e0f2611479a90db044ab130373

    • SHA1

      d678fd28927f05bde277bc3dc5fc51e2b4dce8b8

    • SHA256

      586a9c2a27e906a54182166ec63a02bb6a28eb4e2e7e53a799db928b76fd036d

    • SHA512

      8849dbfa9406c94b9750a6771ba391be95d8b41c53f19f446be92f4f22633975aa7d11b999e9f25b93bc682173ad6e4993486a2ec51c7475046db8daf9b1ebc2

    • SSDEEP

      6144:3gOdWrN3L9iopicrVgNSpmbY+fNo809MmbtkrFCwXNmGzZ4gs7T3D3WG8dvB4h:3gOG3LEopVqYG2809DKriGzZ4g2rWwh

    Score
    1/10
    behavioral3behavioral4

    • Target

      vcruntime210.dll

    • Size

      26KB

    • MD5

      6e9d70d69f6b5edabf77afd544f23cdc

    • SHA1

      60fb31409c332d169e3902871e829a9727c0f7c4

    • SHA256

      63b18b5492e5f53386557724f5e3fbcbe621ff3ee9468a5b1be96ef3aefa1def

    • SHA512

      dbbb45fa0dcc02c5c9d75ebe78eaa664d4086134e2ad39731ab11ff30db6aa410d5b004778812680e0282fdc7114f5c3f7b7d6b7d033217caac7be195ecac707

    • SSDEEP

      768:z3+W0qjF/mH0x6/kLNQWZP6dzjL4GUZtVe/:se4o6MLeWd2jshrg/

    Score
    1/10
    behavioral5behavioral6

    • Target

      vcruntime211.dll

    • Size

      482KB

    • MD5

      e020b99503a66ed0ffd3f097142b1acf

    • SHA1

      af915e18622e38a6d36633bb735ca888c8963630

    • SHA256

      d962edea5d135f3254ba1e9e886a343293b84c65d417411976c0e2bbf7b3932d

    • SHA512

      e15dfa25884a8c801ef83fb9ac380005068a27c941806e12fba2b22e52a2e6cee9e88582faed3a633796e3a12fc339cbc6dbf63160f251cce4299b59368ee28e

    • SSDEEP

      12288:4LlquazCIaeRrMJGixqIhjviw3Iw5CIi9Mug3WOUs5ASMEbg5N:4YuvIaeRMtxqcjqwSvNgGngAlEbQ

    Score
    1/10
    behavioral7behavioral8

    • Target

      vstdlib_s64.dll

    • Size

      13.8MB

    • MD5

      724018fc656d5524d57ec1500b267ff2

    • SHA1

      d9a7f02b5d3286693491280fd98314c69c4fb25d

    • SHA256

      6cde255c9081211f04f2aa0fa6c04dcc1575d52a93b78639585d48fc9fa86a3f

    • SHA512

      232a799e61e9b360e8f3ee15f1b0f93f6810a70df2ca5b11abd1499301109346ee1a974a70b95069fef2e224d80d1c5d90400ff6931ddf1320d2e5322b2888f8

    • SSDEEP

      196608:7WKjkDLnhh2IwfWbjWm1soVTrtvGPrHBGBdD:SKjSh2CbSAsWPtEDkB

    Score
    10/10
    remcosremotehostdiscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Tasks