remcos | 77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2 | Triage

Submit
Reports

Overview

overview

Static

static

77f25549a1...d2.exe

windows7_x64

77f25549a1...d2.exe

windows10_x64

Sharing

General

Target

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2
Size

337KB
Sample

201109-2rsy5sfvcx
MD5

54be0c733c2f2ec0d17da28bd5f5d229
SHA1

2018ec1b9b4040d304d76ae8e0cb66edc0c5ce50
SHA256

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2
SHA512

f259c6f49c680afa464b0b7c341ca90fc33b28fcb219cf8d75eb36f9592975973751bef476d7332e6d4c4473cd60779f5c5b62f41db83816079a2e5559578721

Score

10^/10

remcos coreentity persistence rat rezer0

Static task

static1

Behavioral task

behavioral1

Sample

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe

Resource

win7v20201028

remcos coreentity persistence rat rezer0

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe

Resource

win10v20201028

remcos coreentity persistence rat rezer0

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

C2

servr.killifabuse1.xyz:8643

Targets

- Target
  
  77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2
- Size
  
  337KB
- MD5
  
  54be0c733c2f2ec0d17da28bd5f5d229
- SHA1
  
  2018ec1b9b4040d304d76ae8e0cb66edc0c5ce50
- SHA256
  
  77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2
- SHA512
  
  f259c6f49c680afa464b0b7c341ca90fc33b28fcb219cf8d75eb36f9592975973751bef476d7332e6d4c4473cd60779f5c5b62f41db83816079a2e5559578721
Score

10^/10

remcos coreentity persistence rat rezer0
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- rezer0
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcoscoreentitypersistenceratrezer0

behavioral2

remcoscoreentitypersistenceratrezer0

© 2018-2024

Terms | Privacy