Overview

overview

10

Static

static

Order Conf...73.pdf

windows7_x64

1

Order Conf...73.pdf

windows10_x64

1

SCAN_ORDER...if.exe

windows7_x64

10

SCAN_ORDER...if.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan Order & Samples.zip

  • Size

    666KB

  • Sample

    210430-hn4qmybtza

  • MD5

    204fd1402e1d989febeca251c451ae69

  • SHA1

    cd433484b13c919a8e6bbcd233c6812e7d63e39b

  • SHA256

    4ac29ae6662d7d435682912253ba40eeba34dd7e1cf9b03654a4a6ac22d1faf8

  • SHA512

    1bb1a83157d2ac3320c99e8c2242c796b01ffac722f5c51afd18eaba71a196a051470a579bc61aa7856fc7cb04d1951f60dfb2bb22d1b50755abe0b803786acf

Score
10/10
remcosagilenetrat

Malware Config

Extracted

Family

remcos

C2

remcoswealth.ddns.net:59239

Targets

    • Target

      Order Confirmation SO131873.pdf

    • Size

      76KB

    • MD5

      65b409d1799c0dad747e565350aaa582

    • SHA1

      d452ea1914e93447163b7768fc73f215838082ba

    • SHA256

      7281a07e3e77fa32578f840b57fdd3fc20d7b25c934447df445ade25fd0395db

    • SHA512

      7aadd3e03b0491298abd708443bcc68b8e80da68bda54d750e9d8e4876a483052819f04e4be37999ef4bc13e97d5a0e882716b1cd40cc0d395a1e83878e0c137

    Score
    1/10
    behavioral1behavioral2

    • Target

      SCAN_ORDER & SAMPLES.pif

    • Size

      987KB

    • MD5

      b00712611beb7399b2d3aaca876eb5a9

    • SHA1

      25b5ada90dfee19a99b17eaf2495c347ed21cafe

    • SHA256

      32c3d29676757629b7ceeafd699c33c14147a79fc07a54889e6f66cd5118b123

    • SHA512

      d1f342d17c2f8434c6b7728d31871bce83c9d3f96dbc1bdfd3aff29abfdc5e88853fefb6b195c3ad01f76e31ce0b4c820a1732c53fb94da8441f7e61932476ad

    Score
    10/10
    remcosagilenetrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks