remcos | b2b9f945e823de8e2cb68ff9b4834d1c3e179756b5a3775f4986b849bc79d914 | Triage

Submit
Reports

Overview

overview

Static

static

technical sheet.doc

windows7_x64

technical sheet.doc

windows10_x64

Sharing

General

Target

technical sheet.doc
Size

295KB
Sample

210420-sl7282hvz6
MD5

3ae5587b15fa3a7391837bff4d7f0ff0
SHA1

1d608a470e2bf351df55b080e87d62ed918b2c8f
SHA256

b2b9f945e823de8e2cb68ff9b4834d1c3e179756b5a3775f4986b849bc79d914
SHA512

7f9e83e741f815652e2262fa44900b9c51e20dc81d22145c53d601006cda9eb5d579837e533b43ff339180d2de3266fc254683f607ed73f9ac1e8ef127043271

Score

10^/10

remcos persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

technical sheet.doc

Resource

win7v20210408

remcos persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

technical sheet.doc

Resource

win10v20210410

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://brownfilleds.duckdns.org/zeddd.exe

Extracted

Family

remcos

C2

fieldsdegreenf.duckdns.org:6553

aaeeerbbbeee.duckdns.org:6553

Targets

- Target
  
  technical sheet.doc
- Size
  
  295KB
- MD5
  
  3ae5587b15fa3a7391837bff4d7f0ff0
- SHA1
  
  1d608a470e2bf351df55b080e87d62ed918b2c8f
- SHA256
  
  b2b9f945e823de8e2cb68ff9b4834d1c3e179756b5a3775f4986b849bc79d914
- SHA512
  
  7f9e83e741f815652e2262fa44900b9c51e20dc81d22145c53d601006cda9eb5d579837e533b43ff339180d2de3266fc254683f607ed73f9ac1e8ef127043271
Score

10^/10

remcos persistence rat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcospersistencerat

behavioral2

© 2018-2024

Terms | Privacy