remcos | b50c68306788c3880fa6a3903417c7cdebe25d8e7d8891890fc6143dead37be8 | Triage

Submit
Reports

Overview

overview

Static

static

1

b50c683067...e8.exe

windows7-x64

8

b50c683067...e8.exe

windows10-2004-x64

Sharing

General

Target

b50c68306788c3880fa6a3903417c7cdebe25d8e7d8891890fc6143dead37be8.exe
Size

1.0MB
Sample

250113-glq6ha1pdr
MD5

f74080e99b9f64e404c1db2f246d1ee8
SHA1

4b27d60d7e196c1c4632ac0e045385510f11edc2
SHA256

b50c68306788c3880fa6a3903417c7cdebe25d8e7d8891890fc6143dead37be8
SHA512

f670cb79dd0f0d7488bc778a8f17310a0c002d013529ca63c5bf672a73aebf9c5889d50816b1703294a280c41aa12acebf6299100c7c614cfe65595a17c178c4
SSDEEP

24576:fG6Wnz1p0C9+xk/rsvMXIojT5Ubcq7xLUsZdKaL7IEGJRTCg071K5:u9oCEx8r6MXb5UhxHZdt7cHTDwK5

Score

10^/10

remcos discovery persistence rat upx

Static task

static1

Behavioral task

behavioral1

Sample

b50c68306788c3880fa6a3903417c7cdebe25d8e7d8891890fc6143dead37be8.exe

Resource

win7-20240903-en

discovery persistence upx

windows7-x64

13 signatures

120 seconds

Behavioral task

behavioral2

Sample

b50c68306788c3880fa6a3903417c7cdebe25d8e7d8891890fc6143dead37be8.exe

Resource

win10v2004-20241007-en

remcos discovery persistence rat upx

windows10-2004-x64

15 signatures

120 seconds

Malware Config

Targets

- Target
  
  b50c68306788c3880fa6a3903417c7cdebe25d8e7d8891890fc6143dead37be8.exe
- Size
  
  1.0MB
- MD5
  
  f74080e99b9f64e404c1db2f246d1ee8
- SHA1
  
  4b27d60d7e196c1c4632ac0e045385510f11edc2
- SHA256
  
  b50c68306788c3880fa6a3903417c7cdebe25d8e7d8891890fc6143dead37be8
- SHA512
  
  f670cb79dd0f0d7488bc778a8f17310a0c002d013529ca63c5bf672a73aebf9c5889d50816b1703294a280c41aa12acebf6299100c7c614cfe65595a17c178c4
- SSDEEP
  
  24576:fG6Wnz1p0C9+xk/rsvMXIojT5Ubcq7xLUsZdKaL7IEGJRTCg071K5:u9oCEx8r6MXb5UhxHZdt7cHTDwK5
Score

10^/10

discovery persistence upx remcos rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceupx

behavioral2

remcosdiscoverypersistenceratupx

© 2018-2025

Terms | Privacy