remcos | 6f2ec1f1f9374aa47eaa43ff20135e245f6d98b7db8b6d293f1b8b46d3297f13 | Triage

Sharing

General

Target

Shipping Document PL& BL 00980 ,pdf.exe
Size

1.0MB
Sample

210118-s3qjm9ard2
MD5

0329f09397d5b9f25dcc162d35568d05
SHA1

ca9746f0bc270776ef6eb5ff74faf5d8d123b5f9
SHA256

6f2ec1f1f9374aa47eaa43ff20135e245f6d98b7db8b6d293f1b8b46d3297f13
SHA512

4efc896e871b4e4519dfd56c6f3884dc793f2173d2048ff27c5bd183a5858691887adc0ae8c7451562fdcf2d49ea62e957b3e60f3245d15af6988c290c749a1e

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

favour2021.ddns.net:1990

Targets

- Target
  
  Shipping Document PL& BL 00980 ,pdf.exe
- Size
  
  1.0MB
- MD5
  
  0329f09397d5b9f25dcc162d35568d05
- SHA1
  
  ca9746f0bc270776ef6eb5ff74faf5d8d123b5f9
- SHA256
  
  6f2ec1f1f9374aa47eaa43ff20135e245f6d98b7db8b6d293f1b8b46d3297f13
- SHA512
  
  4efc896e871b4e4519dfd56c6f3884dc793f2173d2048ff27c5bd183a5858691887adc0ae8c7451562fdcf2d49ea62e957b3e60f3245d15af6988c290c749a1e
Score

10^/10

remcos persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcospersistencerat

behavioral2

remcospersistencerat