remcos | 15b49b34b3bc2bebea6eaad217468c16d7cc2bc9bd61d8cc688ab16a88159f88 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XDR_ResponseApp_CollectFile_RM-20250520-00011_e2b0444e-7dc6-4478-96b1-7c16074089c7_20250520T185826Z.7z
Size

3.5MB
Sample

250520-ylxrqabp5y
MD5

e71d0de5bea533fd0b52c697ab650d3d
SHA1

8156b27196a5b0427e6d800145cd22538efe3fc5
SHA256

15b49b34b3bc2bebea6eaad217468c16d7cc2bc9bd61d8cc688ab16a88159f88
SHA512

b300ae694869a3b477399f239e3a289c1152e82a57f333f69615737b41a262a688e5a2cd035a5dc409fbfc84b367353cee8182a3b3bbe2cb80e89816ade0555e
SSDEEP

98304:CkRquoIY/xoSd9Gb19QFYzZ3rQQ1mH07i/CPMp7O3tsQfyJ1:jRq/7xowGSYzprH1mIPMp72hfyb

Score

10^/10

remcos abril 21 muchacha 2025 aspackv2 discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

ABRIL 21 MUCHACHA 2025

C2

productos.zongamervid.com:5509

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
geancera
mouse_option
false
mutex
cuhcooas-SETB5C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  formulario_citas.msi
- Size
  
  3.4MB
- MD5
  
  445a74d71fd6b38261b2b9965e7e431b
- SHA1
  
  c76653e1c78d78ac888d3b81bed70291f44f4d43
- SHA256
  
  0e490b7523550e42fdef9842d83fc5e4aeff20fedf01b613585e811533e300ce
- SHA512
  
  ed115d0c795fe8272913d2cb42611f85b062a54bcf375b150f810f13ac052cfe5cef57747e4fa5b5c867e38fd5fe4ccb745824393a090e596dc6b7da536693e7
- SSDEEP
  
  98304:TP2etMMjmPiHPIutMIcPGt3TJ+dwzV5/MblV:BRjmaHPIuHxt3l+mzb/K
Score

10^/10

remcos abril 21 muchacha 2025 aspackv2 discovery persistence privilege_escalation rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosabril 21 muchacha 2025aspackv2discoverypersistenceprivilege_escalationrat