Overview

overview

10

Static

static

QOUTATION-...om.exe

windows7_x64

10

QOUTATION-...om.exe

windows10_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    QOUTATION-PDF- SCAN COPY.com

  • Size

    1.5MB

  • Sample

    210118-fw329sar16

  • MD5

    9a9bbfd840fc81a65bbbd542c5b218c9

  • SHA1

    41a8ce06eff712b8aa1e6c9a86776b9fa1763950

  • SHA256

    a29a5b9eafdb7e2dbec28f1cb59d5ffcec859333d8f1a4cc00a37c3eded32ae3

  • SHA512

    6f06eedda66f0e55b24f82d9c6bbabc08972c271749ceacd7826f5062034d135a4d0e89d65c1c693cd85947ac9763d1cac3521f75fc72c4abf38f733dfafa4e5

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

eileenwmsscm.duckdns.org:2558

Targets

    • Target

      QOUTATION-PDF- SCAN COPY.com

    • Size

      1.5MB

    • MD5

      9a9bbfd840fc81a65bbbd542c5b218c9

    • SHA1

      41a8ce06eff712b8aa1e6c9a86776b9fa1763950

    • SHA256

      a29a5b9eafdb7e2dbec28f1cb59d5ffcec859333d8f1a4cc00a37c3eded32ae3

    • SHA512

      6f06eedda66f0e55b24f82d9c6bbabc08972c271749ceacd7826f5062034d135a4d0e89d65c1c693cd85947ac9763d1cac3521f75fc72c4abf38f733dfafa4e5

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks