remcos | 37d06b4e6ec408584c915ba339a3b1c7a8d49a8b9a1c7e95422b149560c6909f | Triage

Sharing

General

Target

sample.zip
Size

57KB
Sample

210426-x6zwme6sz6
MD5

b6c95d43f10dc0a67d66a7138ddf3aec
SHA1

689972498bec23b2455fd60272063fe221cf1e20
SHA256

37d06b4e6ec408584c915ba339a3b1c7a8d49a8b9a1c7e95422b149560c6909f
SHA512

1a6af4ac4fc19d4664f4fbc3069a601c89361c61ac005877c22865c8ab7af6540ef45bc077a41c544611f4b31f02dd8fba0bcb0fd10ed7fef68c2b28fbee192b

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

databasepropersonombrecomercialideasearchwords.services:3521

Targets

- Target
  
  first1.exe
- Size
  
  183KB
- MD5
  
  c1b9c27c13f700813890b186b09bf55a
- SHA1
  
  a816f0a3df54453fd3dec7e91cc17d0eeb74ee81
- SHA256
  
  e4087f56d9f1aae9eb98d19654465241c4b1c52bac4d7e4c5cbea11cb3244905
- SHA512
  
  5f03a562eccc1dce9a881c8637a3e4c56e9daeb1869392fa7b4134ec8000800962cc44cd0ef91dd03ff46053db08d767460c9008bb4dfdecc230bb4cd22737d2
Score

10^/10

remcos persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcospersistencerat

behavioral2

remcospersistencerat