remcos | aeb1aab3be5b90cb85bfe28f0e092c83fee4a742a9cda7b0d8a6e464e6fa7342 | Triage

Sharing

General

Target

Shipping Document PL&BL003534,pdf.exe
Size

675KB
Sample

210106-2lqcmcdhjs
MD5

35d3f86c5715649c8a4273e6a52b0b54
SHA1

cebda0a60751e95d44bf19522c0f315595c47f51
SHA256

aeb1aab3be5b90cb85bfe28f0e092c83fee4a742a9cda7b0d8a6e464e6fa7342
SHA512

b3cec30f5f79de0a31943160687c92d5304f837a8c1de852b5f08682db1c8de1a4f44c13a92c6a37cc34bd842c2d7ebf219501ce52bca0c6a785a93d7dd5a9f4

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

blessings2021.ddns.net:2021

Targets

- Target
  
  Shipping Document PL&BL003534,pdf.exe
- Size
  
  675KB
- MD5
  
  35d3f86c5715649c8a4273e6a52b0b54
- SHA1
  
  cebda0a60751e95d44bf19522c0f315595c47f51
- SHA256
  
  aeb1aab3be5b90cb85bfe28f0e092c83fee4a742a9cda7b0d8a6e464e6fa7342
- SHA512
  
  b3cec30f5f79de0a31943160687c92d5304f837a8c1de852b5f08682db1c8de1a4f44c13a92c6a37cc34bd842c2d7ebf219501ce52bca0c6a785a93d7dd5a9f4
Score

10^/10

remcos persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcospersistencerat

behavioral2

remcospersistencerat