Overview

overview

10

Static

static

first2.exe

windows7_x64

10

first2.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample.zip

  • Size

    59KB

  • Sample

    210426-sjvgj6m1ns

  • MD5

    a7d258b0f9a42595e999634cdb468b89

  • SHA1

    d33e5fa488b8111b2f920da48268cf995f1bd9a1

  • SHA256

    fd84a9e6935b0cc10488a3926d1a3d67f79a843039aa0dae539d1c9be67f4f36

  • SHA512

    a2dfff3cfcb632a2358451e46d10bf3f0bdd8e1bd0dc32bec504bf57aabba56a6a5a849b62d084b541b569b9d5edcf0fa6b1c10a1225969e91393b8551adefe6

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

databasepropersonombrecomercialideasearchwords.services:3521

Targets

    • Target

      first2.exe

    • Size

      188KB

    • MD5

      81650b5894e10dc7f6b4d45f05f36bf9

    • SHA1

      5f22af376e1395cbdca9470ff9432938c290b3d5

    • SHA256

      d339fb0c1a994e652b4fe8f4cfd8a16745ca9a04f9042cab1d16ca73103f41d4

    • SHA512

      4c1142054c46cc3a94b3778424fc06bc835208e974acd16ee063b0dc46e943eb3bb929d29c9ecd990d3fbe79c0788094976a4e250fc6134d907f7a0d78ef03df

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks