Overview

overview

10

Static

static

PO839-DOC8...df.exe

windows7_x64

10

PO839-DOC8...df.exe

windows10_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO839-DOC83475348-834_pdf.exe

  • Size

    169KB

  • Sample

    200713-fl42sgdvje

  • MD5

    f0a88db6d16630640775a733efd9527f

  • SHA1

    88fc7c4275f93c404efa073a80ce61e0e7f3ee5a

  • SHA256

    ff3eb81477b36ac2239b623085961439379064929b20c4a69f72cb266adece83

  • SHA512

    af00550e84d345289e6d1751f42be955a3d60a2e5a4f442764dfbb044b7e0c8d775e8af89c0d217bd8023d4a4739b77600ba9365f47cde5086afead6180f6ddf

Score
10/10
remcosratspyware

Malware Config

Extracted

Family

remcos

C2

109.169.89.116:2021

Targets

    • Target

      PO839-DOC83475348-834_pdf.exe

    • Size

      169KB

    • MD5

      f0a88db6d16630640775a733efd9527f

    • SHA1

      88fc7c4275f93c404efa073a80ce61e0e7f3ee5a

    • SHA256

      ff3eb81477b36ac2239b623085961439379064929b20c4a69f72cb266adece83

    • SHA512

      af00550e84d345289e6d1751f42be955a3d60a2e5a4f442764dfbb044b7e0c8d775e8af89c0d217bd8023d4a4739b77600ba9365f47cde5086afead6180f6ddf

    Score
    10/10
    ratremcosspyware

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks