Managed XDR

request-for-quotation.eml (Remcos) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
request-for-quotation.eml
Тип файла
SMTP mail, ASCII text, with CRLF line terminators
Размер файла
1.7 MB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
e2b8111821ec22cf0eb0b522ca845fd058adadf6
SHA256
1c04437e5e4b29f945f3815d0410b80b57a6897326d29a09d7a87c3f9b806a7c
MD5
c3a59e38838415d2759a3aaf7055a918

Вредоносное ПО

  • Remcos

Сигнатуры

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1562 dep_disable: Disables DEP
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Other

yara_rules: Static rules
ce_info: Remcos Configuration Data found
pe_in_bcryptdecrypt: PE found in BCryptDecrypt function
static_pe_anomaly: The PE file structure contains anomalies
dead_host: Connects to IP addresses that do not respond to requests
no_graphical_activity: No graphic activity
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
test_check_service: Starts services

Похожие отчёты