General

  • Target

    SERFINANZA_EXTRACTO_9429299304353174728403_23412551137329424487110_9573524169573054383615259_639869929291807056373_pdf.e

  • Size

    3.3MB

  • Sample

    210506-jvx511vwna

  • MD5

    2167310bfc6911706be2abfadbb25a07

  • SHA1

    973e9cdaae27067d21bd2ed290ee2fb3139e3f6a

  • SHA256

    a11a2be54b4e16b1ad08516b46da1ded79de8b7a31e4cf7537e21abce1639816

  • SHA512

    713f1d20e27f2d19ffb83a5a20043e045ad6a42b7487eb7d945350ecb91035ae8049ff603785e25ac131b1e49ca4ecb5e478ebbeb39104b1b883b706835ec8a7

Malware Config

Extracted

Family

remcos

C2

databasepropersonombrecomercialideasearchwords.services:3521

Targets

    • Target

      SERFINANZA_EXTRACTO_9429299304353174728403_23412551137329424487110_9573524169573054383615259_639869929291807056373_pdf.e

    • Size

      3.3MB

    • MD5

      2167310bfc6911706be2abfadbb25a07

    • SHA1

      973e9cdaae27067d21bd2ed290ee2fb3139e3f6a

    • SHA256

      a11a2be54b4e16b1ad08516b46da1ded79de8b7a31e4cf7537e21abce1639816

    • SHA512

      713f1d20e27f2d19ffb83a5a20043e045ad6a42b7487eb7d945350ecb91035ae8049ff603785e25ac131b1e49ca4ecb5e478ebbeb39104b1b883b706835ec8a7

    • Modifies Windows Defender Real-time Protection settings

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Turns off Windows Defender SpyNet reporting

    • Windows security bypass

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

5
T1112

Disabling Security Tools

4
T1089

Discovery

System Information Discovery

1
T1082

Tasks