General

  • Target

    XEG.exe

  • Size

    1.8MB

  • Sample

    210511-mrlamwvkse

  • MD5

    c92c34ed08c2495905803b41a57aa7f3

  • SHA1

    7a9cc21adf388ef89d9056dd58c556d747021593

  • SHA256

    72849c508e7534ebab7eb520f72ba0e7811ea7bb01a37400e1031c176d84b23a

  • SHA512

    01a4dcff6c1f4bee51cbc9dbcba59d9434e16cc4cad35078785ab349161457a8ca538eda6493376bbac9b17cf8a29d76335c7228394a9831ee42e0aa5134b554

Score
10/10

Malware Config

Extracted

Family

remcos

C2

wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu:1996

Targets

    • Target

      XEG.exe

    • Size

      1.8MB

    • MD5

      c92c34ed08c2495905803b41a57aa7f3

    • SHA1

      7a9cc21adf388ef89d9056dd58c556d747021593

    • SHA256

      72849c508e7534ebab7eb520f72ba0e7811ea7bb01a37400e1031c176d84b23a

    • SHA512

      01a4dcff6c1f4bee51cbc9dbcba59d9434e16cc4cad35078785ab349161457a8ca538eda6493376bbac9b17cf8a29d76335c7228394a9831ee42e0aa5134b554

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks