Overview

overview

10

Static

static

imagnpdf04...93.exe

windows7_x64

10

imagnpdf04...93.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    imagnpdf0440690129912239vistaprevia02052329503adobeplayer02304293.exe

  • Size

    1.8MB

  • Sample

    210111-x76t65z3re

  • MD5

    5b2c784d7de1aeb2bbfcee269f138e00

  • SHA1

    9948f3bf9aa8c548139c2b6c969cb90b9ace4c3a

  • SHA256

    cb8642988cadd0d704adcd1025d24a0604416c9fbd92d9b74597e861c0a15d22

  • SHA512

    0eaacc0d76a93db04a0ed55878fa90d30b48debe23ff0a38dcc223d1daada1f53da558b1bfec052af04e9fdffcf0b979fa18309d2dd1954ff934f6491ed4e1cb

Score
10/10
remcosevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

C2

cincuentayseisrem.duckdns.org:1012

Targets

    • Target

      imagnpdf0440690129912239vistaprevia02052329503adobeplayer02304293.exe

    • Size

      1.8MB

    • MD5

      5b2c784d7de1aeb2bbfcee269f138e00

    • SHA1

      9948f3bf9aa8c548139c2b6c969cb90b9ace4c3a

    • SHA256

      cb8642988cadd0d704adcd1025d24a0604416c9fbd92d9b74597e861c0a15d22

    • SHA512

      0eaacc0d76a93db04a0ed55878fa90d30b48debe23ff0a38dcc223d1daada1f53da558b1bfec052af04e9fdffcf0b979fa18309d2dd1954ff934f6491ed4e1cb

    Score
    10/10
    remcosevasionpersistencerattrojan

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Windows security bypass

      evasiontrojan

    • Drops startup file

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

5
T1112

Disabling Security Tools

3
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks