General
-
Target
TELEFONOS DE MEXICO.rar
-
Size
5.0MB
-
Sample
250211-ssstfsymgj
-
MD5
f67caec7a79834ae75203bc590875443
-
SHA1
370ab7301101261d18e7ddfc8b33a372d11fc762
-
SHA256
0ca989caf3674f15e7072c37e9c89c48cef3500f0f02bc1f3786f71625869c1a
-
SHA512
ff8d7452e4ee7fad6f53b88c2072ceff589fb521c0af30670f7c2555c9bf75832f8878d09a1b3aa5f897f191f7b1ab7b721bad94bb5008d4e0779bd92704fac5
-
SSDEEP
98304:LTvwuWN87KCxGr8b6SWJnjzmQwg55VTjrHShKqBBKweSshKVq8SJgvuKG:guf7dxGCUJj/ZHHSDzc8VRShKG
Malware Config
Extracted
remcos
fileooo
188.127.225.33:5637
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
65-VD9T89
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
TELEFONOS DE MEXICO.exe
-
Size
969KB
-
MD5
f9538485432d3ec640f89096ba2d4d00
-
SHA1
b050b847b1fe8be78d56b29bd23c25e05c227a92
-
SHA256
5d695d8a0bb1d919cc77a2aa2488a61797bfa065238160278ee458120630aaf9
-
SHA512
ea7aeedd15f4d6a6005f8cfb7d404dfb0c302c837e48de7e3ff44d7d5908f8de6c0a81f736d874a491eddc89fdf753976be6f635e7e8512f5abb7f32caa8cfc5
-
SSDEEP
24576:oFZAiQHDhht8m7FpUi1L1OXJz5zzz3zzzozzz3zzzNz:CZAiQHlhtz7FpWdwz
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Uses the VBS compiler for execution
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Suspicious use of SetThreadContext
-
-
-
Target
libvlc.dll
-
Size
10.2MB
-
MD5
98b96b0a8f184734a3917fc603551a05
-
SHA1
18c64aad9d3f14d3358c8e02818678df9930cfe9
-
SHA256
9f5ff22c8e79d8a394a3a65afcc3b87738ac0f655e59ee93ac25fbad287a58d0
-
SHA512
dc5739855c11226e1ddcd47c5f4e450b5bbe44c53066722d7fa0b817324ac5549fdaf931d3d24d9a6f5ea405e2e2bcadbbb3c001d73eb938a5ce2168d3329ec2
-
SSDEEP
98304:8c8Pcsy8gpn4g2WjHNDw7uQKKlQRIwUm7ALYl7:gPcugp4EDuuQKKiRqSALY9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Downloads MZ/PE file
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
libvlccore.dll
-
Size
2.7MB
-
MD5
c62c3ef5753af6e0980f38eebc196b1c
-
SHA1
fd1d62feaaacb7cad5f952b61a6f7bd60d6dc4e1
-
SHA256
2ddb85b36650f85b5a09724c5b17428b1b1b76bd3e3dd85b643933659d5e333d
-
SHA512
f2338d26b073d8a796a7a19ee290b87b63f30f6cfa62e74d147756d2362898a167784c860d9bc098b1ec1a080aaa0fad25ca8c611b7e8f42ea8195c2b14abdfc
-
SSDEEP
49152:0F0rn/mnSnjfazU2TGlMo1PBAUZLY6sEZGaXBuQQ9eI:0F07L60PBAUZL3W
Score6/10-
Downloads MZ/PE file
-
-
-
Target
vcruntime211.dll
-
Size
482KB
-
MD5
5e4c2519c1836bb2604efac8416b5df6
-
SHA1
1d680e7a58ccdc2effa75394aa3296baddd683c4
-
SHA256
801a0426f603044a224a2648c3b8679356cba76cd789f794117b26fa23b5aabd
-
SHA512
be73d867d9970abe370851c50bb793fd2cd737675163fd9e0b65cd5b17782c4703941ccaecc176176fafdc3f3692800da42ee6bdf3e16713acf3f13b07171c71
-
SSDEEP
12288:G8UuBVRUCaGaiiB5pu5bWBwO0CCrrh73jGW:G8zRURGaJ/ukw55rRGW
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1