General

  • Target

    richiealvin.exe

  • Size

    791KB

  • Sample

    210120-5848x79n1x

  • MD5

    57cbb0c81ccbd1c74fa39bd6d1d32884

  • SHA1

    bbb48a60aa774829cd22d86dfe0530fb79b35b83

  • SHA256

    46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

  • SHA512

    aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Score
10/10

Malware Config

Extracted

Family

remcos

C2

91.193.75.185:1989

Targets

    • Target

      richiealvin.exe

    • Size

      791KB

    • MD5

      57cbb0c81ccbd1c74fa39bd6d1d32884

    • SHA1

      bbb48a60aa774829cd22d86dfe0530fb79b35b83

    • SHA256

      46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

    • SHA512

      aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Tasks