Overview

overview

10

Static

static

Scan_Docum...6G.exe

windows7_x64

10

Scan_Docum...6G.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan_Documents-001HD4847DHD346G.rar

  • Size

    309KB

  • Sample

    210413-jt58xg2pmx

  • MD5

    b82d6cd9096026375c0e930ba11d760f

  • SHA1

    22588876117b44b97d91e565a11f762e57b4349c

  • SHA256

    5968501b6456f12a9f36071f5e663bc48214007b9ff78601cb3e5585b8df29e9

  • SHA512

    1194b8d7c1594f3a7f1aa7103d3f5cf2635f6b24a4365848824284558fe2c9ed697d22b24f3d2579ba923655534176a311b416267d7662b87b1f80c78ce5880f

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

www.swqrn.com:16108

Targets

    • Target

      Scan_Documents-001HD4847DHD346G.exe

    • Size

      838KB

    • MD5

      303c5d6aa71eede673d90225146fba07

    • SHA1

      61e24b0ec1a6933259565c21788e0ccbacd4c630

    • SHA256

      6018d6795b86aef8d39205698ca166c8c5d413d06a8a1fa346741bd56ff0e307

    • SHA512

      bc584d8b598bf59e4ec1a3b494556df46730fdf31175ac6fdfd4fe8c72781e539d9d082998d7df0b292a3c4212ab16a46a4e734a28b2d0291a016e3bdebd728a

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks