Overview

overview

10

Static

static

DHL fil.exe

windows7_x64

10

DHL fil.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-01-2021 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL fil.exe

  • Size

    1.7MB

  • MD5

    0400ac5d652f38d0b60274ceed2e673a

  • SHA1

    9c4ea3cda7382930907a89dc8c6ad22dcecc0e67

  • SHA256

    816f26e5b5de1be644fff419718bc3e1b8410a4a9a9f405d8db814e7758608d9

  • SHA512

    389776faa311fa1b10e9eda5a0f93898109f73e75214fe1007ea6bb03c87bb26f76506a1828b42825f8ed1d8d4ac3969e4836a628514ae05a99753ce0629bc37

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

u875414.nvpn.to:2404

u875414.duckdns.org:2404

u875414.ddns.net:2404

u875414.nsupdate.info:2404

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL fil.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL fil.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN firefox /XML "C:\Users\Admin\AppData\Local\Temp\c571f70d86ea41e1ade60440eec90e9a.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN firefox /XML "C:\Users\Admin\AppData\Local\Temp\c571f70d86ea41e1ade60440eec90e9a.xml"
        3⤵
        • Creates scheduled task(s)
        PID:1072
    • C:\Users\Admin\AppData\Local\Temp\DHL fil.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL fil.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1768

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\c571f70d86ea41e1ade60440eec90e9a.xml
    MD5

    221cfd19d0ea77a30962373204cbf075

    SHA1

    a90caac684a646d59e9332f69412a02c26cda2a4

    SHA256

    a4a0ec1399f1b5c7bfec389994a86318b7aec8b85f4abb1a7c4bf445bd5955b3

    SHA512

    1fd4fb712f2ad07551ab38f616121d5228500ae1aca29c8f74a5d60c21b89b65bd9a171c48bb31510791ba995a5ef6713ecf473e1832a5b7185dbcedfcf5d475

    Download Submit

  • memory/1072-5-0x0000000000000000-mapping.dmp

    Download

  • memory/1492-2-0x0000000000000000-mapping.dmp

    Download

  • memory/1768-3-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1768-4-0x0000000000413FA4-mapping.dmp

    Download

  • memory/1768-6-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download