Overview

overview

10

Static

static

image00293...F7.exe

windows7_x64

10

image00293...F7.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    image002933894HF8474H038RHF7.exe

  • Size

    2.6MB

  • Sample

    201230-hm9z6814ax

  • MD5

    a20b5a07ccf2b7dc101161b49f140626

  • SHA1

    53493c31d96556211b32e2ce078d5d63f6f5329a

  • SHA256

    c07fd0e28659f9346a6330682e6c598df98402f2b853b6e00fef908ce432ee42

  • SHA512

    45d49d0b5ea7c326e4e564db0cf347b2e058ab33e93a318019ec8daf2e515dea8ad636b87ca298fcb3d5ebad1e87f1eb51513a88c34c119534bea63478dd2e40

Score
10/10
remcosevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

C2

www.alldatalogs.xyz:2404

Targets

    • Target

      image002933894HF8474H038RHF7.exe

    • Size

      2.6MB

    • MD5

      a20b5a07ccf2b7dc101161b49f140626

    • SHA1

      53493c31d96556211b32e2ce078d5d63f6f5329a

    • SHA256

      c07fd0e28659f9346a6330682e6c598df98402f2b853b6e00fef908ce432ee42

    • SHA512

      45d49d0b5ea7c326e4e564db0cf347b2e058ab33e93a318019ec8daf2e515dea8ad636b87ca298fcb3d5ebad1e87f1eb51513a88c34c119534bea63478dd2e40

    Score
    10/10
    remcosevasionpersistencerattrojan

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • Drops startup file

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks