Overview

overview

10

Static

static

INVOICE-PD...PY.exe

windows7_x64

10

INVOICE-PD...PY.exe

windows10_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INVOICE-PDF- SCAN COPY.exe

  • Size

    1.5MB

  • Sample

    210118-wm3zkw65tx

  • MD5

    e6a1db28e3fa9241f8a37fc24a6bd0e7

  • SHA1

    7c3c1c035d5022f035928fba257af94fe4ad81c6

  • SHA256

    ce97e49dca586f267017b8d8778e65e58ca39162d738f696704ce287ad502d9b

  • SHA512

    b3faf1f325fa73d685ce8a44f48d886198c2a07c12aa11c77d017c5f078fa8806f7fd944777dc5a017cdddda356b32c62a2d5a9c7d2df03d6d17c8a55bc03c01

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

eileenwmsscm.duckdns.org:2558

Targets

    • Target

      INVOICE-PDF- SCAN COPY.exe

    • Size

      1.5MB

    • MD5

      e6a1db28e3fa9241f8a37fc24a6bd0e7

    • SHA1

      7c3c1c035d5022f035928fba257af94fe4ad81c6

    • SHA256

      ce97e49dca586f267017b8d8778e65e58ca39162d738f696704ce287ad502d9b

    • SHA512

      b3faf1f325fa73d685ce8a44f48d886198c2a07c12aa11c77d017c5f078fa8806f7fd944777dc5a017cdddda356b32c62a2d5a9c7d2df03d6d17c8a55bc03c01

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks