General

  • Target

    11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

  • Size

    257KB

  • Sample

    201109-drw65sz3xs

  • MD5

    6546310491f91536d50a4afec31d29ad

  • SHA1

    fe52fb147856063236b35cfc44109c433c4f80c3

  • SHA256

    11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

  • SHA512

    79c52bf52ffa8d35822e9c9496391d3325c44a723e1036dc5bc9ac40769fdecb0abb000db0ff7bf95bf1b51166449540ede564c4902530a07ae1c0319877cfed

Malware Config

Extracted

Family

remcos

C2

vuelta2020.ddns.net:7373

Targets

    • Target

      11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

    • Size

      257KB

    • MD5

      6546310491f91536d50a4afec31d29ad

    • SHA1

      fe52fb147856063236b35cfc44109c433c4f80c3

    • SHA256

      11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

    • SHA512

      79c52bf52ffa8d35822e9c9496391d3325c44a723e1036dc5bc9ac40769fdecb0abb000db0ff7bf95bf1b51166449540ede564c4902530a07ae1c0319877cfed

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • Modifies WinLogon for persistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • rezer0

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Modifies WinLogon

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

2
T1004

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Tasks