Overview

overview

10

Static

static

Quotation.exe

windows7_x64

7

Quotation.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quotation.exe

  • Size

    1.5MB

  • Sample

    210118-2wcxspmtvj

  • MD5

    8ed2eb4f9aab811fef61c8cc1d61cf24

  • SHA1

    d4e2452748d1efc5bb62ee873bbd0af96d5f5d13

  • SHA256

    133a9c9b926ecb6806cf9afa73409b01472e67d80a7908dbadbfe2cf7e24f7e5

  • SHA512

    7686e04c7a5c348e3eaa01f0a56e4062ff94b142164111857499682e50b7e05c2aa481a524099229e100e7c97a96ed58f45004a4c7f621287504640100f7ed52

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

whatgodcannotdodoestnotexist.duckdns.org:2889

Targets

    • Target

      Quotation.exe

    • Size

      1.5MB

    • MD5

      8ed2eb4f9aab811fef61c8cc1d61cf24

    • SHA1

      d4e2452748d1efc5bb62ee873bbd0af96d5f5d13

    • SHA256

      133a9c9b926ecb6806cf9afa73409b01472e67d80a7908dbadbfe2cf7e24f7e5

    • SHA512

      7686e04c7a5c348e3eaa01f0a56e4062ff94b142164111857499682e50b7e05c2aa481a524099229e100e7c97a96ed58f45004a4c7f621287504640100f7ed52

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks