remcos | 7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585 | Triage

Sharing

General

Target

Shipping Document PL BL 960.exe
Size

973KB
Sample

210113-h5w9b1gj42
MD5

01856ddc0973cc04929480b93139ffa5
SHA1

c204a09386374da5924ace3f928e33d89f54d4d2
SHA256

7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585
SHA512

499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

favour2021.ddns.net:1990

Targets

- Target
  
  Shipping Document PL BL 960.exe
- Size
  
  973KB
- MD5
  
  01856ddc0973cc04929480b93139ffa5
- SHA1
  
  c204a09386374da5924ace3f928e33d89f54d4d2
- SHA256
  
  7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585
- SHA512
  
  499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386
Score

10^/10

remcos persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcospersistencerat

behavioral2

remcospersistencerat