Overview

overview

10

Static

static

RFQ-00205-0305.exe

windows7_x64

10

RFQ-00205-0305.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ-00205-0305.exe

  • Size

    753KB

  • Sample

    210503-za3tfs6xkn

  • MD5

    621cb2fb281f8fc1a1e0bfdbd317570e

  • SHA1

    378b0726c6d90a9ba4c3f58ca4bef518e6ef6410

  • SHA256

    4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605

  • SHA512

    bc257309d57129ae19402e25be0b69243f7fdc9686d0d690d9ce4357f311d0487bfa05569f79e530ba3b936dee55e7137b3ccb73cd660830c823da482c8ce5ba

Score
10/10
remcosxmrigminerpersistencerat

Malware Config

Extracted

Family

remcos

C2

style.ptbagasps.co.id:42024

Targets

    • Target

      RFQ-00205-0305.exe

    • Size

      753KB

    • MD5

      621cb2fb281f8fc1a1e0bfdbd317570e

    • SHA1

      378b0726c6d90a9ba4c3f58ca4bef518e6ef6410

    • SHA256

      4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605

    • SHA512

      bc257309d57129ae19402e25be0b69243f7fdc9686d0d690d9ce4357f311d0487bfa05569f79e530ba3b936dee55e7137b3ccb73cd660830c823da482c8ce5ba

    Score
    10/10
    remcospersistenceratxmrigminer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks