remcos | 9d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74 | Triage

Submit
Reports

Overview

overview

Static

static

PO - 2021-000511.exe

windows7_x64

PO - 2021-000511.exe

windows10_x64

Sharing

General

Target

PO - 2021-000511.exe
Size

330KB
Sample

210119-dgdw3rkp9j
MD5

66942e778b34428234e0a47a0e9c444e
SHA1

2bf1b967c0b9ff0c2478441a9294405afb29ec6e
SHA256

9d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74
SHA512

1bbf9595b15c0a1c0f8635c8a15161d39c5a73bf45a73f2f0fedfa80b33ed60c0bf1db738348a91b7f4ac2ac13e95bbd63d2ee65feaa01627656ba12e2e30989

Score

10^/10

remcos persistence rat spyware

Static task

static1

Behavioral task

behavioral1

Sample

PO - 2021-000511.exe

Resource

win7v20201028

remcos persistence rat spyware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO - 2021-000511.exe

Resource

win10v20201028

remcos persistence rat spyware

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

C2

nkosarevaocs.duckdns.org:7266

Targets

- Target
  
  PO - 2021-000511.exe
- Size
  
  330KB
- MD5
  
  66942e778b34428234e0a47a0e9c444e
- SHA1
  
  2bf1b967c0b9ff0c2478441a9294405afb29ec6e
- SHA256
  
  9d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74
- SHA512
  
  1bbf9595b15c0a1c0f8635c8a15161d39c5a73bf45a73f2f0fedfa80b33ed60c0bf1db738348a91b7f4ac2ac13e95bbd63d2ee65feaa01627656ba12e2e30989
Score

10^/10

remcos persistence rat spyware
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcospersistenceratspyware

behavioral2

remcospersistenceratspyware

© 2018-2024

Terms | Privacy