Overview

overview

10

Static

static

1.exe

windows7_x64

10

1.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.exe

  • Size

    292KB

  • Sample

    210826-9h5drvap4n

  • MD5

    efc8835857289c3a0203ceacc6c3dc54

  • SHA1

    b714743ed51d7ebde304c6ff3de1e0272a14abc7

  • SHA256

    12b96d3fdf88e0f6d4aa41aefefa93563c1186566115b78a73964a045e4476d7

  • SHA512

    aa3156d44079d2bbee35c3b65303f8895d783e8e21a4560a66bbfbdfd6d9c13dbe4e1db24be07660a1244b87a72bfa1136ee65ae2af3b173acca0a483e1a1c45

Score
10/10
guloadermodiloaderremcosarmonia1downloaderevasionpersistenceratsuricatatrojan

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

Armonia1

C2

adminpotalpublicpersonaswps.website:64157

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    xlogs107.dat

  • keylog_flag

    false

  • keylog_folder

    Runtime15

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    !27Mzcjw9@!C9i-ZHLPA2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      1.exe

    • Size

      292KB

    • MD5

      efc8835857289c3a0203ceacc6c3dc54

    • SHA1

      b714743ed51d7ebde304c6ff3de1e0272a14abc7

    • SHA256

      12b96d3fdf88e0f6d4aa41aefefa93563c1186566115b78a73964a045e4476d7

    • SHA512

      aa3156d44079d2bbee35c3b65303f8895d783e8e21a4560a66bbfbdfd6d9c13dbe4e1db24be07660a1244b87a72bfa1136ee65ae2af3b173acca0a483e1a1c45

    Score
    10/10
    guloadermodiloaderremcosarmonia1downloaderevasionpersistenceratsuricatatrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks