Overview

overview

10

Static

static

Query_Ref_...df.exe

windows7_x64

10

Query_Ref_...df.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Query_Ref_5787533_pdf.exe

  • Size

    957KB

  • Sample

    210421-gp7ccngkye

  • MD5

    0b7883cd326d76228c722b69541cb9a3

  • SHA1

    bf513758205dda0b62084d9b9718042aad5c836c

  • SHA256

    741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e

  • SHA512

    2bc401cc1ce71ee9f783a67433be84dfa14d2b52715586a2a318cad51db15d3de09370a4ff580efa05935c91e5f7658794467166c5af38f65b8027d310a7b612

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

kjdes.ddns.net:6062

Targets

    • Target

      Query_Ref_5787533_pdf.exe

    • Size

      957KB

    • MD5

      0b7883cd326d76228c722b69541cb9a3

    • SHA1

      bf513758205dda0b62084d9b9718042aad5c836c

    • SHA256

      741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e

    • SHA512

      2bc401cc1ce71ee9f783a67433be84dfa14d2b52715586a2a318cad51db15d3de09370a4ff580efa05935c91e5f7658794467166c5af38f65b8027d310a7b612

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks