Overview

overview

10

Static

static

Sydler_Rem...J4.exe

windows7_x64

10

Sydler_Rem...J4.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe

  • Size

    290KB

  • Sample

    210118-tcwda2ymex

  • MD5

    e8f7d121f3d4e0d641a12895c7b287ac

  • SHA1

    17757b821ee9b081fcc142dcc7aff5a147de6095

  • SHA256

    a2925ab4b7c0267fb273b9125b81673c84525a2e974119dd6c6f3c10ac6675f5

  • SHA512

    2ff90e19afd3e9cc902c105ec861b0927b0b665c38b908f4a6f619a75f6568dfa0538900ce44699a7f2e6897d8ae6dabf7addb88b39d47f66edfadf241bdb2ed

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

www.maneediem.com:2404

Targets

    • Target

      Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe

    • Size

      290KB

    • MD5

      e8f7d121f3d4e0d641a12895c7b287ac

    • SHA1

      17757b821ee9b081fcc142dcc7aff5a147de6095

    • SHA256

      a2925ab4b7c0267fb273b9125b81673c84525a2e974119dd6c6f3c10ac6675f5

    • SHA512

      2ff90e19afd3e9cc902c105ec861b0927b0b665c38b908f4a6f619a75f6568dfa0538900ce44699a7f2e6897d8ae6dabf7addb88b39d47f66edfadf241bdb2ed

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks