General
-
Target
Remittance Invoice.exe
-
Size
1.2MB
-
Sample
201120-sscmfyejtj
-
MD5
f03c339b2b7e63903641a07c4b6a0a72
-
SHA1
e51a360179170851a365abf6bb24b70fbc6b9dab
-
SHA256
e79648e3393883d7e4cc82daec386ecc84e88268c6aa127abfe2677d602ff08f
-
SHA512
784854b6b00a8e7a59cbd1be30c567493ac0d26471ab7687fe63e3736dbc507cb339cd28b0eea0d94a8bfb4cd03f03db7f812c863bf2c11464a798a70ded5c93
Static task
static1
Behavioral task
behavioral1
Sample
REMITTAN.EXE
Resource
win7v20201028
Behavioral task
behavioral2
Sample
REMITTAN.EXE
Resource
win10v20201028
Malware Config
Extracted
remcos
dollarboy1.duckdns.org:5252
Targets
-
-
Target
REMITTAN.EXE
-
Size
73KB
-
MD5
4f0970aff8d4998eb4330f146538bb9f
-
SHA1
ce5b8d2203146a4e081d61b525779d13c104797f
-
SHA256
e3eb1466bda0d2fa25a6aefd756ed0185c86c1bfc0aa2a68a22429afa019cc6a
-
SHA512
dba29de31cf0b11329c1a9b5111a2dd0d8ab9995945a7f7e920620833e313ac769b757dab9167518998d73c93738d0844d5fa43e1f6014cfa5adbc98c3cc8a00
Score10/10-
Modifies WinLogon for persistence
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-