Overview

overview

10

Static

static

Invoice_pdf.exe

windows7_x64

10

Invoice_pdf.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice_pdf.exe

  • Size

    870KB

  • Sample

    210115-sqjrys3th6

  • MD5

    279249ce026add40ae320e48e7419dd0

  • SHA1

    39f75c20a9372a4b04231ca64f094a87621fa833

  • SHA256

    ad1f07921d826970a6a6e3073a870abd32a439d3ae2fc552b7dff46eb0d5f69c

  • SHA512

    17ebcc0503746fe3e5869491f6306b3f3753592eb2a44ad53248b28746e0dfc17a99c17ba2494c940bdf4ba6f71c154462a1b6087bf8ae7fba510372d998f851

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

welloff.myq-see.com:5267

Targets

    • Target

      Invoice_pdf.exe

    • Size

      870KB

    • MD5

      279249ce026add40ae320e48e7419dd0

    • SHA1

      39f75c20a9372a4b04231ca64f094a87621fa833

    • SHA256

      ad1f07921d826970a6a6e3073a870abd32a439d3ae2fc552b7dff46eb0d5f69c

    • SHA512

      17ebcc0503746fe3e5869491f6306b3f3753592eb2a44ad53248b28746e0dfc17a99c17ba2494c940bdf4ba6f71c154462a1b6087bf8ae7fba510372d998f851

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks