remcos | 1384907c30bf5d2185b80dfbc63359a50f087e87a5caa3c27edf8cb3a3a6d2d5 | Triage

Submit
Reports

Overview

overview

Static

static

Factura Se...df.exe

windows7_x64

Factura Se...df.exe

windows10_x64

Sharing

General

Target

Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Size

181KB
Sample

210423-576mb2x6he
MD5

06b2befd05d60d47183797b1e079b6e8
SHA1

8d1abaeb6d198014767384dc6594b28bea6d6e69
SHA256

1384907c30bf5d2185b80dfbc63359a50f087e87a5caa3c27edf8cb3a3a6d2d5
SHA512

e10fc2a9b28e27b129e1208412ac4596f8e1314da58b2c88dbc82d8ddda8f61e7d58b0c30e0df6ece364fd57747616373a4efdc8889980bcf097fca624046a83

Score

10^/10

remcos evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe

Resource

win7v20210410

remcos evasion persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe

Resource

win10v20210408

remcos evasion persistence rat trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

C2

databasepropersonombrecomercialideasearchwords.services:3521

Targets

- Target
  
  Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
- Size
  
  181KB
- MD5
  
  06b2befd05d60d47183797b1e079b6e8
- SHA1
  
  8d1abaeb6d198014767384dc6594b28bea6d6e69
- SHA256
  
  1384907c30bf5d2185b80dfbc63359a50f087e87a5caa3c27edf8cb3a3a6d2d5
- SHA512
  
  e10fc2a9b28e27b129e1208412ac4596f8e1314da58b2c88dbc82d8ddda8f61e7d58b0c30e0df6ece364fd57747616373a4efdc8889980bcf097fca624046a83
Score

10^/10

remcos evasion persistence rat trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Nirsoft
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcosevasionpersistencerattrojan

behavioral2

remcosevasionpersistencerattrojan

© 2018-2024

Terms | Privacy