Overview

overview

10

Static

static

3

396b9c091d...53.exe

windows7-x64

8

396b9c091d...53.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    76868bbe576d41f1654395768f1de4adf0139d7417e0b5785de8d258baeebaab

  • Size

    4.9MB

  • Sample

    240904-vpsematfkn

  • MD5

    be945a78231167d97c925b2c7e2f5745

  • SHA1

    80498179f3f5c98a74bcf1d80072b882cd480a93

  • SHA256

    76868bbe576d41f1654395768f1de4adf0139d7417e0b5785de8d258baeebaab

  • SHA512

    39b164f82d595500ebffdec3fa4dbd1a74fd48ea3628515781ef9e6526cb5edae827933f5d9c0289f052c8f86d97e3aeec70ef98d2dea86ae816899112a7177e

  • SSDEEP

    98304:RwNeOsvuFbLJkL7A3QJkshhHhmWm10KphBAGT9ttYlNKH+dotkbG7:yFbLJj3QGeK0i8GpYlNH+IW

Score
10/10
remcosdiscoveryexecutionpersistencerat

Malware Config

Targets

    • Target

      396b9c091d6328765df31c29d2e6e5e28f2472d63052ec39447d4325b8f3bf53.exe

    • Size

      5.1MB

    • MD5

      aa1c1ce4915e430238dd1579fe0ee320

    • SHA1

      6df35550b84eb4b2648a09ff2be348ee326e7e78

    • SHA256

      396b9c091d6328765df31c29d2e6e5e28f2472d63052ec39447d4325b8f3bf53

    • SHA512

      04d46c3d8f73941b017b8c64302eebffe7a77a39d63c83dfbc5f71e45d1824557ea174dcc36c9ec82a4a176ae72ef840457855a11724314d255775b548f19d2e

    • SSDEEP

      98304:xXZvnKYEUwMXKCEXZvnKYEUwMXKC6XZvnKYEUwMXKC:xtnf3rXJEtnf3rXJ6tnf3rXJ

    Score
    10/10
    discoveryexecutionremcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks