remcos | ee06568a688b08b44558fbb7de0673bdaafebca6a1bea0abbabd4b955188dcc7 | Triage

Sharing

General

Target

ee06568a688b08b44558fbb7de0673bdaafebca6a1bea0abbabd4b955188dcc7
Size

345KB
Sample

210508-95cbdfl8hn
MD5

a967e53485c42b4926f489d6f8755d5d
SHA1

48c97a1da6c66d08a5f2f29308d7439c74b4e67e
SHA256

ee06568a688b08b44558fbb7de0673bdaafebca6a1bea0abbabd4b955188dcc7
SHA512

b58cee140ecc79e53ec83eead40586aae41ea618c8e6b7eae6fda66ea71c35fe461be1707d7227d1aa6f2ea20613d99068f55c20bc54f83a5a84b30f06e5df49

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

79.105.173.179:2404

Targets

- Target
  
  ee06568a688b08b44558fbb7de0673bdaafebca6a1bea0abbabd4b955188dcc7
- Size
  
  345KB
- MD5
  
  a967e53485c42b4926f489d6f8755d5d
- SHA1
  
  48c97a1da6c66d08a5f2f29308d7439c74b4e67e
- SHA256
  
  ee06568a688b08b44558fbb7de0673bdaafebca6a1bea0abbabd4b955188dcc7
- SHA512
  
  b58cee140ecc79e53ec83eead40586aae41ea618c8e6b7eae6fda66ea71c35fe461be1707d7227d1aa6f2ea20613d99068f55c20bc54f83a5a84b30f06e5df49
Score

10^/10

remcos persistence rat
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcospersistencerat

behavioral2

remcospersistencerat