Overview

overview

10

Static

static

7a99807a43...be.exe

windows7_x64

10

7a99807a43...be.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7a99807a434f33b10783b43bc2906fbe.exe

  • Size

    1.3MB

  • Sample

    210112-aq3f2gtrra

  • MD5

    7a99807a434f33b10783b43bc2906fbe

  • SHA1

    070af96b019f7e8f0d0dfa1ccd51a41f2f127c7e

  • SHA256

    09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

  • SHA512

    d83ef5e5ca85f600cb3cedadd686f6c677aa26682f1f2c48816195ae94303ac632574b92f4a8742f6703f798b6d4432cecd05a042cf4c0867da998fb5b8ed591

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Targets

    • Target

      7a99807a434f33b10783b43bc2906fbe.exe

    • Size

      1.3MB

    • MD5

      7a99807a434f33b10783b43bc2906fbe

    • SHA1

      070af96b019f7e8f0d0dfa1ccd51a41f2f127c7e

    • SHA256

      09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

    • SHA512

      d83ef5e5ca85f600cb3cedadd686f6c677aa26682f1f2c48816195ae94303ac632574b92f4a8742f6703f798b6d4432cecd05a042cf4c0867da998fb5b8ed591

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks