General
-
Target
document_v152120.doc
-
Size
12KB
-
Sample
210125-sfht5yhyd6
-
MD5
3c9b171aa4191384845ffc13021f3a7f
-
SHA1
0acd262c9aad61b328b4d37a3460ba41630ef3a0
-
SHA256
140ee2b8d6fba55259d70bab833fbae1924c7426bb8ddc79aaa5088435281872
-
SHA512
62bd151a6e9520133a6e1257f06ebe8bfcd0da71f7665a402b9d136c48c561f3b17eaae462cc709845c503de89d208d735caacb7e5df234ad2397900d7de89cc
Malware Config
Extracted
remcos
moneyds.ddns.net:6332
Targets
-
-
Target
document_v152120.doc
-
Size
12KB
-
MD5
3c9b171aa4191384845ffc13021f3a7f
-
SHA1
0acd262c9aad61b328b4d37a3460ba41630ef3a0
-
SHA256
140ee2b8d6fba55259d70bab833fbae1924c7426bb8ddc79aaa5088435281872
-
SHA512
62bd151a6e9520133a6e1257f06ebe8bfcd0da71f7665a402b9d136c48c561f3b17eaae462cc709845c503de89d208d735caacb7e5df234ad2397900d7de89cc
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-