remcos | 91a88238f5b4dc93a3626e9fc6cf1c5e10b5690153bac179606128380fb45142 | Triage

Submit
Reports

Overview

overview

Static

static

EASTEND.doc

windows7_x64

EASTEND.doc

windows10_x64

5

Sharing

General

Target

EASTEND.doc
Size

299KB
Sample

210121-7emyrcanls
MD5

4ba5af0ca862e168e6be9b311c19d023
SHA1

489c5f20f70391e817a1b2406f164b789094c376
SHA256

91a88238f5b4dc93a3626e9fc6cf1c5e10b5690153bac179606128380fb45142
SHA512

36ee5ddeadf4cb447b52810174173b8919b7ecd93659cf091ba1f5aab79618b4a416807b3feb6e42eb7a0a2e19e5d63dcbfb412cd54245e04afe535c3f4213e9

Score

10^/10

remcos persistence ransomware rat

Static task

static1

Behavioral task

behavioral1

Sample

EASTEND.doc

Resource

win7v20201028

remcos persistence ransomware rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

EASTEND.doc

Resource

win10v20201028

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

C2

gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu:2177

Targets

- Target
  
  EASTEND.doc
- Size
  
  299KB
- MD5
  
  4ba5af0ca862e168e6be9b311c19d023
- SHA1
  
  489c5f20f70391e817a1b2406f164b789094c376
- SHA256
  
  91a88238f5b4dc93a3626e9fc6cf1c5e10b5690153bac179606128380fb45142
- SHA512
  
  36ee5ddeadf4cb447b52810174173b8919b7ecd93659cf091ba1f5aab79618b4a416807b3feb6e42eb7a0a2e19e5d63dcbfb412cd54245e04afe535c3f4213e9
Score

10^/10

remcos persistence ransomware rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcospersistenceransomwarerat

behavioral2

© 2018-2024

Terms | Privacy