Overview

overview

10

Static

static

Documento ...86.exe

windows7_x64

10

Documento ...86.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Documento AWB DHL 3374687886.exe

  • Size

    660KB

  • Sample

    210114-r358ym52rj

  • MD5

    e4e02951e1f41618256a13b0b682f74f

  • SHA1

    feb39ed57d123134ac15db3357ea02ea05f31b27

  • SHA256

    db40b329c1ecea2045d4e2bc27fe712b52bbfc1d51ff1b55dcd3c8bb72258710

  • SHA512

    c47a316c209d005fd36e4eb79a0f1965a7c6b3df1b88d3bf26b4149b77d3616e78870bd4c4fba87aa1df0fa7c9d073d02e22385417c4dd83ffb43f69229e6b10

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

favour2021.ddns.net:1990

Targets

    • Target

      Documento AWB DHL 3374687886.exe

    • Size

      660KB

    • MD5

      e4e02951e1f41618256a13b0b682f74f

    • SHA1

      feb39ed57d123134ac15db3357ea02ea05f31b27

    • SHA256

      db40b329c1ecea2045d4e2bc27fe712b52bbfc1d51ff1b55dcd3c8bb72258710

    • SHA512

      c47a316c209d005fd36e4eb79a0f1965a7c6b3df1b88d3bf26b4149b77d3616e78870bd4c4fba87aa1df0fa7c9d073d02e22385417c4dd83ffb43f69229e6b10

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks