Overview

overview

10

Static

static

DHL fil.exe

windows7_x64

10

DHL fil.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-01-2021 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL fil.exe

  • Size

    1.7MB

  • MD5

    0400ac5d652f38d0b60274ceed2e673a

  • SHA1

    9c4ea3cda7382930907a89dc8c6ad22dcecc0e67

  • SHA256

    816f26e5b5de1be644fff419718bc3e1b8410a4a9a9f405d8db814e7758608d9

  • SHA512

    389776faa311fa1b10e9eda5a0f93898109f73e75214fe1007ea6bb03c87bb26f76506a1828b42825f8ed1d8d4ac3969e4836a628514ae05a99753ce0629bc37

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

u875414.nvpn.to:2404

u875414.duckdns.org:2404

u875414.ddns.net:2404

u875414.nsupdate.info:2404

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL fil.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL fil.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN firefox /XML "C:\Users\Admin\AppData\Local\Temp\c571f70d86ea41e1ade60440eec90e9a.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN firefox /XML "C:\Users\Admin\AppData\Local\Temp\c571f70d86ea41e1ade60440eec90e9a.xml"
        3⤵
        • Creates scheduled task(s)
        PID:2416
    • C:\Users\Admin\AppData\Local\Temp\DHL fil.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL fil.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:3836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\c571f70d86ea41e1ade60440eec90e9a.xml
    MD5

    3eb7080f35afc6fa9b8f1fa283d2b791

    SHA1

    f80ee9052dbf76740e6403e19f7f34a1183b2d4f

    SHA256

    ef889688b9761824a648b98601dfe3f31aedade2124aa959ccb79e82276a1fde

    SHA512

    2e270670bda47ff744256744b110518c1cfc2758dad5e5508f1514454805a2ae9e4850b8aa874f40d01c451b5a24b293d9a493df6fe39c8a902dc8842a436f36

    Download Submit
  • memory/2416-7-0x0000000000000000-mapping.dmp
    Download
  • memory/2696-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3836-3-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/3836-4-0x0000000000413FA4-mapping.dmp
    Download
  • memory/3836-6-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download