Overview

overview

10

Static

static

ad94b98e49...68.exe

windows7_x64

10

ad94b98e49...68.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ad94b98e49e2c5f974483313942e5968.exe

  • Size

    888KB

  • Sample

    210506-vw1rcyeps6

  • MD5

    4831c6d14c3a2135226c3e581bb4013f

  • SHA1

    44a2ce6196d4467b6ae78a625d346f9008935630

  • SHA256

    311e25c8370ed1c16a72cf163c48090f3e73495bc5fbc3a824635e9cc62f70e1

  • SHA512

    c06db0e8e11f9d185f73a0e3786bc4b94904c532c3af50be0badc983d48b7aa66dec429e25de755bcfeadf371e48843f6531024acbd32afca9970991bc57da30

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

sandshoe.myfirewall.org:2404

sandshoe.myfirewall.org:2415

Targets

    • Target

      ad94b98e49e2c5f974483313942e5968.exe

    • Size

      888KB

    • MD5

      4831c6d14c3a2135226c3e581bb4013f

    • SHA1

      44a2ce6196d4467b6ae78a625d346f9008935630

    • SHA256

      311e25c8370ed1c16a72cf163c48090f3e73495bc5fbc3a824635e9cc62f70e1

    • SHA512

      c06db0e8e11f9d185f73a0e3786bc4b94904c532c3af50be0badc983d48b7aa66dec429e25de755bcfeadf371e48843f6531024acbd32afca9970991bc57da30

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks