Overview

overview

10

Static

static

IMG-PO-SCA...12.exe

windows7_x64

10

IMG-PO-SCA...12.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    IMG-PO-SCAN-DOCUMENTS-00HDU12.exe

  • Size

    1.3MB

  • Sample

    201230-d23lpafhsn

  • MD5

    7b6d7d2361883cbb2aa79225773e069a

  • SHA1

    7f537d09deb9a10d4786db1194e5e3d14bf39aac

  • SHA256

    0b8fd92f9a070ff1914f4c71c2f684c9a877993b051af080ee198bccedf209ad

  • SHA512

    eaa90bdc190d8c0a727242627f10c41d6aa86de33ce81e6b0dfbcb616f4b5190441b368c68f63d20e764b47484064cbdf285a4f99ead548352ffd849f4703990

Score
10/10
remcosevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

C2

www.alldatalogs.xyz:2404

Targets

    • Target

      IMG-PO-SCAN-DOCUMENTS-00HDU12.exe

    • Size

      1.3MB

    • MD5

      7b6d7d2361883cbb2aa79225773e069a

    • SHA1

      7f537d09deb9a10d4786db1194e5e3d14bf39aac

    • SHA256

      0b8fd92f9a070ff1914f4c71c2f684c9a877993b051af080ee198bccedf209ad

    • SHA512

      eaa90bdc190d8c0a727242627f10c41d6aa86de33ce81e6b0dfbcb616f4b5190441b368c68f63d20e764b47484064cbdf285a4f99ead548352ffd849f4703990

    Score
    10/10
    remcosevasionpersistencerattrojan

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • Drops startup file

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks