Overview

overview

10

Static

static

0987 Salt ...k..exe

windows7_x64

10

0987 Salt ...k..exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f631a26995eb4db06e561658b38a52751d32ff99ee1a19a9a79a3d6d1375c39f

  • Size

    350KB

  • Sample

    220521-nzrshshedp

  • MD5

    7c42f57b99eaf669a6892a801612e547

  • SHA1

    6671cc04b90e78daef793c781bc96cac3d7b003f

  • SHA256

    f631a26995eb4db06e561658b38a52751d32ff99ee1a19a9a79a3d6d1375c39f

  • SHA512

    d733fc681eca1cc1b003e70a1d9192eeeb36571210b95b2d80e5eccf47cb6526bf20ae0672373cb46a71c8ab67d2e3a2b1fb51a633b6ca969d61cb45ca2285ec

Score
10/10
remcospersistencerat

Malware Config

Targets

    • Target

      0987 Salt Makina Teknik..exe

    • Size

      757KB

    • MD5

      d150fab1d3923ca48b2d3730ee447279

    • SHA1

      1b6843bfb8f924cf356e6e149ab5d74d75125ae1

    • SHA256

      35a94d699b3b76654146147d5049a618067f3c2081f0b90d28f2b0cb4baf9df1

    • SHA512

      1d55e07820a95412a8fd6c0859b6eddd306df4e9e9ecdc3fc44669a575a6a6b6c600589e884b721ce3c56913675b3ffd55eaca5935e5a807538b61034094ce76

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks