General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504
-
Size
1.3MB
-
Sample
210121-mbltxbt89x
-
MD5
33c35598a22a81d9d62986a910bc4d46
-
SHA1
9177c4636517c04dad78521286ffe8928b3c8672
-
SHA256
0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38
-
SHA512
4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0
Malware Config
Extracted
remcos
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017
Targets
-
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504
-
Size
1.3MB
-
MD5
33c35598a22a81d9d62986a910bc4d46
-
SHA1
9177c4636517c04dad78521286ffe8928b3c8672
-
SHA256
0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38
-
SHA512
4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-