Overview

overview

10

Static

static

8862719d86...68.exe

windows7_x64

10

8862719d86...68.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8862719d86a768b1d8363364f0382868.exe

  • Size

    1.4MB

  • Sample

    210113-11e4zn7ma2

  • MD5

    8862719d86a768b1d8363364f0382868

  • SHA1

    998e6f410a43aa618edf7c3a1a5e36abc79c6326

  • SHA256

    495955225d3f8b7ee34f7f194685ac06621f177e25aca6bde09d038b0a2afd74

  • SHA512

    a2f3213cf62cbed0da5bcd2ec898feaab4f374ff4fd2d50992c360f5f0b4b1f07e804d8a334174204fe700fb863125fd0dca3acce13f6c2081552ec2cbd0d0a2

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Targets

    • Target

      8862719d86a768b1d8363364f0382868.exe

    • Size

      1.4MB

    • MD5

      8862719d86a768b1d8363364f0382868

    • SHA1

      998e6f410a43aa618edf7c3a1a5e36abc79c6326

    • SHA256

      495955225d3f8b7ee34f7f194685ac06621f177e25aca6bde09d038b0a2afd74

    • SHA512

      a2f3213cf62cbed0da5bcd2ec898feaab4f374ff4fd2d50992c360f5f0b4b1f07e804d8a334174204fe700fb863125fd0dca3acce13f6c2081552ec2cbd0d0a2

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks