Overview

overview

10

Static

static

10

9f7ef650ee...f9.exe

windows7_x64

10

9f7ef650ee...f9.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f7ef650ee32895e313edc085fbc29f9.exe

  • Size

    455KB

  • Sample

    210505-1mpnk5vb46

  • MD5

    9f7ef650ee32895e313edc085fbc29f9

  • SHA1

    bcde3f8d90c9b0d3ad79785f77a089003260fedc

  • SHA256

    02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa

  • SHA512

    c79c2c31aeb6c22ede5cdfbf1c7b5428be304327b0f9ccd000f094ccbb9ec0a871bb5f5217ec7e98ea05917f6ae927a1082dd80adcc9bd0a35c26daac8de0e50

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

fieldsdegreenf.duckdns.org:6553

aaeeerbbbeee.duckdns.org:6553

Targets

    • Target

      9f7ef650ee32895e313edc085fbc29f9.exe

    • Size

      455KB

    • MD5

      9f7ef650ee32895e313edc085fbc29f9

    • SHA1

      bcde3f8d90c9b0d3ad79785f77a089003260fedc

    • SHA256

      02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa

    • SHA512

      c79c2c31aeb6c22ede5cdfbf1c7b5428be304327b0f9ccd000f094ccbb9ec0a871bb5f5217ec7e98ea05917f6ae927a1082dd80adcc9bd0a35c26daac8de0e50

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks