Overview

overview

10

Static

static

1

RFQ New Tu...19.exe

windows7-x64

10

RFQ New Tu...19.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ New Tube Bundle of E-2419.exe

  • Size

    849KB

  • Sample

    230308-rbx66sgd41

  • MD5

    3d917fd5f2f5e18c28d68437ea4e9dc0

  • SHA1

    276f1c5b73545dd5bc1fcf7d4e745a5a6e78d274

  • SHA256

    807093752106d15ce311660c16c40e2a6987a00ce7e2710b19b64d9501a36f36

  • SHA512

    fd92068da0418beb6a24d6b34b42724c08839d2d36db4b06c2dfac9d0d11f83ed76115762feaec30b960ae9a824ccd7540f2e1e298cfdcf22129e57f1373e2e9

  • SSDEEP

    12288:oTUapCWOSkmUQNQugJaBHCa7GGzkZqPLX3UHA25TakgFye5TnLF78:6dAskmUVugJd6GG4ZqPLX3UHA2I

Score
10/10
modiloaderremcosgpmawpersistencerattrojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

GPMAW

C2

emberluck.duckdns.org:5050

ogcmaw.duckdns.org:5050
Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_muzkmgzdyruylam

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      RFQ New Tube Bundle of E-2419.exe

    • Size

      849KB

    • MD5

      3d917fd5f2f5e18c28d68437ea4e9dc0

    • SHA1

      276f1c5b73545dd5bc1fcf7d4e745a5a6e78d274

    • SHA256

      807093752106d15ce311660c16c40e2a6987a00ce7e2710b19b64d9501a36f36

    • SHA512

      fd92068da0418beb6a24d6b34b42724c08839d2d36db4b06c2dfac9d0d11f83ed76115762feaec30b960ae9a824ccd7540f2e1e298cfdcf22129e57f1373e2e9

    • SSDEEP

      12288:oTUapCWOSkmUQNQugJaBHCa7GGzkZqPLX3UHA25TakgFye5TnLF78:6dAskmUVugJd6GG4ZqPLX3UHA2I

    Score
    10/10
    modiloadertrojanremcosgpmawpersistencerat

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks