Overview

overview

10

Static

static

unpaid.exe

windows7_x64

10

unpaid.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    unpaid.exe

  • Size

    289KB

  • Sample

    210118-tfv7wqw7we

  • MD5

    23195e221bd52fc2ff7bcecef0c6e9af

  • SHA1

    efffd2231109a8103f1b85da879ee2cfd9e59ba8

  • SHA256

    07cb866df6df9ad51ce01426b0a0466834619e72c2653ff7c25320cc3c0a3f9a

  • SHA512

    8cbb1a709e198e7c905b81554000d83f88e2429c821d5990d45c8f182442e2409828de014750aa2ef23c97f033b0f098bdf281cc8bc7b5c1e7ff53ca7d2dd3c8

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

nkosarevaocs.duckdns.org:7266

Targets

    • Target

      unpaid.exe

    • Size

      289KB

    • MD5

      23195e221bd52fc2ff7bcecef0c6e9af

    • SHA1

      efffd2231109a8103f1b85da879ee2cfd9e59ba8

    • SHA256

      07cb866df6df9ad51ce01426b0a0466834619e72c2653ff7c25320cc3c0a3f9a

    • SHA512

      8cbb1a709e198e7c905b81554000d83f88e2429c821d5990d45c8f182442e2409828de014750aa2ef23c97f033b0f098bdf281cc8bc7b5c1e7ff53ca7d2dd3c8

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks