Overview

overview

10

Static

static

EXTRACTOSE...62.exe

windows7_x64

10

EXTRACTOSE...62.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EXTRACTOSERFINANZA149952705997730013733597462.exe

  • Size

    175KB

  • Sample

    210426-z29htenxan

  • MD5

    7949066c49b82ebce27756a69ee28fee

  • SHA1

    20fee757b2258d7a7ed27f1c147753082dbc8548

  • SHA256

    dcda7574d5ca6cdca0ee9336b33ef4e63b1a33c96cc1787aa1e42d8a8534c490

  • SHA512

    9ca2c9786e2597fa6b318fa6bd28a6a88af251956d80aeb0c039022e70a07a6f9fd4da568daab3c042d1caad6248c80a315b09595aa9ef1102367eb4f23a41d0

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

databasepropersonombrecomercialideasearchwords.services:3521

Targets

    • Target

      EXTRACTOSERFINANZA149952705997730013733597462.exe

    • Size

      175KB

    • MD5

      7949066c49b82ebce27756a69ee28fee

    • SHA1

      20fee757b2258d7a7ed27f1c147753082dbc8548

    • SHA256

      dcda7574d5ca6cdca0ee9336b33ef4e63b1a33c96cc1787aa1e42d8a8534c490

    • SHA512

      9ca2c9786e2597fa6b318fa6bd28a6a88af251956d80aeb0c039022e70a07a6f9fd4da568daab3c042d1caad6248c80a315b09595aa9ef1102367eb4f23a41d0

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks