Overview

overview

10

Static

static

Quotation.exe

windows7_x64

10

Quotation.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quotation.exe

  • Size

    301KB

  • Sample

    210118-b1ljkymt52

  • MD5

    86ee20d76d6fcd5411f6ac7f6087e636

  • SHA1

    bdccba4e08fdcb0eb4881111087b04871ac9a017

  • SHA256

    605834c1fd1e1ad6e039fa17f7de298663ab902e84a70947a15ef18d088879e8

  • SHA512

    811795cd24c69795120dc26c4c876a51453eb11820f9482819a70698d6b14ddece068da18bad307e28975273d20d9a680b31df07c04362e8d33d7de733b26516

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

whatgodcannotdodoestnotexist.duckdns.org:2889

Targets

    • Target

      Quotation.exe

    • Size

      301KB

    • MD5

      86ee20d76d6fcd5411f6ac7f6087e636

    • SHA1

      bdccba4e08fdcb0eb4881111087b04871ac9a017

    • SHA256

      605834c1fd1e1ad6e039fa17f7de298663ab902e84a70947a15ef18d088879e8

    • SHA512

      811795cd24c69795120dc26c4c876a51453eb11820f9482819a70698d6b14ddece068da18bad307e28975273d20d9a680b31df07c04362e8d33d7de733b26516

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks