Overview

overview

10

Static

static

d17564de48...9d.exe

windows7-x64

10

d17564de48...9d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d

  • Size

    112KB

  • Sample

    221209-rndcjagb9w

  • MD5

    a0a43077ce1076346b76d810b37b3452

  • SHA1

    beaea5e9c198eb914542c567d6aa2ac405291bbe

  • SHA256

    d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d

  • SHA512

    f27723630567b84d0e7db9af7a6e354223d3f477d69254c47ee018a2e43ebcea63da830144c0b9c0cc1292cd41c26e0ac0d630e6ed1b482e2250a8db9fae8ea6

  • SSDEEP

    1536:czITVdWJBDPHidw5C8i1PsVrg/+3DGCHyIk0AWj9ehGE:hTkxZbDGvIk0w

Score
10/10
guloaderremcosdownloaderpersistencerat

Malware Config

Targets

    • Target

      d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d

    • Size

      112KB

    • MD5

      a0a43077ce1076346b76d810b37b3452

    • SHA1

      beaea5e9c198eb914542c567d6aa2ac405291bbe

    • SHA256

      d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d

    • SHA512

      f27723630567b84d0e7db9af7a6e354223d3f477d69254c47ee018a2e43ebcea63da830144c0b9c0cc1292cd41c26e0ac0d630e6ed1b482e2250a8db9fae8ea6

    • SSDEEP

      1536:czITVdWJBDPHidw5C8i1PsVrg/+3DGCHyIk0AWj9ehGE:hTkxZbDGvIk0w

    Score
    10/10
    guloaderdownloaderpersistenceremcosrat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks