remcos | b72df5535e69fb7ea6dd6638059825c267e176baa3213a2f513d76d2455f1776 | Triage

Sharing

General

Target

Qotation.exe
Size

330KB
Sample

210119-gv8h854j2e
MD5

28b8acaf74bd16212a1d2fb732e88c6d
SHA1

993b52b65b755aa59f4d1f4390e3e0cd6c2ffacf
SHA256

b72df5535e69fb7ea6dd6638059825c267e176baa3213a2f513d76d2455f1776
SHA512

0da3543e18958730fe92ebc318fdcc7f8744a37bbadaea096f3a327b4207efc8a5b67819284aa7bb9fd293122c4daed5acbcb27842a45cfab6b10dfc4a88ed59

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

whatgodcannotdodoestnotexist.duckdns.org:2889

Targets

- Target
  
  Qotation.exe
- Size
  
  330KB
- MD5
  
  28b8acaf74bd16212a1d2fb732e88c6d
- SHA1
  
  993b52b65b755aa59f4d1f4390e3e0cd6c2ffacf
- SHA256
  
  b72df5535e69fb7ea6dd6638059825c267e176baa3213a2f513d76d2455f1776
- SHA512
  
  0da3543e18958730fe92ebc318fdcc7f8744a37bbadaea096f3a327b4207efc8a5b67819284aa7bb9fd293122c4daed5acbcb27842a45cfab6b10dfc4a88ed59
Score

10^/10

remcos persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcospersistencerat

behavioral2

remcospersistencerat