Overview

overview

10

Static

static

H-ÖİŞSH...54.doc

windows7_x64

10

H-ÖİŞSH...54.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    H-ÖİŞSHvTA-20210420-54.doc

  • Size

    570KB

  • Sample

    210420-vl8fmdhjte

  • MD5

    51e5e69a3706f5b25965e8b9be30f57b

  • SHA1

    3529b4ac6af4fef13747ab0e07f17640d0278754

  • SHA256

    fcb7b776870f80ea86ed26f7b561dff7a12d9eb98e61eee83033d1bcaa801400

  • SHA512

    9df8a95756e505eff3199b9d8cc05bede02f40255d29f83b4e1de7f91aabde9b08b180a02895f51c1f2df73c1c0ebe54606fc94e848a383765f42df4ba1aff6c

Score
10/10
remcosevasionrattrojan

Malware Config

Extracted

Family

remcos

C2

arttronova124.duckdns.org:3030

Targets

    • Target

      H-ÖİŞSHvTA-20210420-54.doc

    • Size

      570KB

    • MD5

      51e5e69a3706f5b25965e8b9be30f57b

    • SHA1

      3529b4ac6af4fef13747ab0e07f17640d0278754

    • SHA256

      fcb7b776870f80ea86ed26f7b561dff7a12d9eb98e61eee83033d1bcaa801400

    • SHA512

      9df8a95756e505eff3199b9d8cc05bede02f40255d29f83b4e1de7f91aabde9b08b180a02895f51c1f2df73c1c0ebe54606fc94e848a383765f42df4ba1aff6c

    Score
    10/10
    remcosevasionrattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks