General
-
Target
NEW PURCHASE REQUIREMENT.xlsx
-
Size
2.0MB
-
Sample
210115-264rtxhrp6
-
MD5
aaeb01806b14bb41c5a8424cf6341d19
-
SHA1
6754ba8ec4337bdfaac0f56a057e65344fd6863a
-
SHA256
360757d16d95ca36f9933d6fc3633fad8983ebc1fda48e0462bc6e0c107281f0
-
SHA512
8435c1f2823ee66e0b5d717dcbea55cd542fb893635a03387330e46888689b31e124b0bd50cafb46b2c787054b069bab1f131826f5ed82387dad0cff58b30e1c
Malware Config
Extracted
remcos
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017
Targets
-
-
Target
NEW PURCHASE REQUIREMENT.xlsx
-
Size
2.0MB
-
MD5
aaeb01806b14bb41c5a8424cf6341d19
-
SHA1
6754ba8ec4337bdfaac0f56a057e65344fd6863a
-
SHA256
360757d16d95ca36f9933d6fc3633fad8983ebc1fda48e0462bc6e0c107281f0
-
SHA512
8435c1f2823ee66e0b5d717dcbea55cd542fb893635a03387330e46888689b31e124b0bd50cafb46b2c787054b069bab1f131826f5ed82387dad0cff58b30e1c
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-