Overview

overview

10

Static

static

Payment Advice.vbs

windows7_x64

10

Payment Advice.vbs

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment Advice.vbs

  • Size

    4KB

  • Sample

    210121-8j52q7pg46

  • MD5

    afccc71a981fa3ea99bf0af6cbbfac4d

  • SHA1

    125e81caad716d88d4be375c125156a673d1ecb0

  • SHA256

    6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6

  • SHA512

    0ea2d841cb7f3a55a6304b1784adecc7e87aa43676583c67084dafe2d702267165873031ac3fd2f5e7aced18aba36a6a5283b03eca2cb754a75fb0ce65955fdd

Score
10/10
remcosransomwarerat

Malware Config

Extracted

Family

remcos

C2

creditdept01.myq-see.com:6800

Targets

    • Target

      Payment Advice.vbs

    • Size

      4KB

    • MD5

      afccc71a981fa3ea99bf0af6cbbfac4d

    • SHA1

      125e81caad716d88d4be375c125156a673d1ecb0

    • SHA256

      6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6

    • SHA512

      0ea2d841cb7f3a55a6304b1784adecc7e87aa43676583c67084dafe2d702267165873031ac3fd2f5e7aced18aba36a6a5283b03eca2cb754a75fb0ce65955fdd

    Score
    10/10
    remcosransomwarerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks