Overview

overview

10

Static

static

EXTRACTOSE...55.exe

windows7_x64

10

EXTRACTOSE...55.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EXTRACTOSERFINANZA718365418101786154346661555.exe

  • Size

    1.8MB

  • Sample

    210429-5gdrcngdvs

  • MD5

    4b87651766b45ec78c2c9ea9a6951e5c

  • SHA1

    6fd91fe21ba350f55bd6f00d389986084d4e3852

  • SHA256

    6993ffac6e8c4020e152ce6ba165cf3efb429908340d2d9c02812dffc019cf0a

  • SHA512

    f4e642008a9af3a91b55727636c0155dde65db1d811c776fd2ad7548ae18a52c5642ae6cfab04b9903bd642a10090ea27fe516bd94ddd9fed8af7b5b09c0fb46

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

databasepropersonombrecomercialideasearchwords.services:3521

Targets

    • Target

      EXTRACTOSERFINANZA718365418101786154346661555.exe

    • Size

      1.8MB

    • MD5

      4b87651766b45ec78c2c9ea9a6951e5c

    • SHA1

      6fd91fe21ba350f55bd6f00d389986084d4e3852

    • SHA256

      6993ffac6e8c4020e152ce6ba165cf3efb429908340d2d9c02812dffc019cf0a

    • SHA512

      f4e642008a9af3a91b55727636c0155dde65db1d811c776fd2ad7548ae18a52c5642ae6cfab04b9903bd642a10090ea27fe516bd94ddd9fed8af7b5b09c0fb46

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks