Overview

overview

10

Static

static

1

5fcfdf0e24...d5.vbs

windows7-x64

10

5fcfdf0e24...d5.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5fcfdf0e241a0347f9ff9caa897649e7fe8f25757b39c61afddbe288202696d5.zip

  • Size

    89KB

  • Sample

    230321-qrakdaaf38

  • MD5

    8234d480e06e5725f2efe82b32f2de1b

  • SHA1

    5b1ad82f7278cfa74b7bab1b0ce6831c92e2d4d9

  • SHA256

    7a4c790060c57f7e257c8e40e55fe137895a005eeea17d1697f3037da83c2ba7

  • SHA512

    968c95d5c16a26359c79a13adba21067770636bd81a09a3bf1974a66473d53a265956df824378d41efa37f44830f37fd67ee5a56c187bfefcecc92d7360f1b0a

  • SSDEEP

    1536:olBfdmBgyVYfueWhxcfjfSmGhWlHv/fagrmd2QiW9SH+XwHSNvyTEnvNb:eF2VWgo1yWlnfRmfi+gyNvyTEn5

Score
10/10
guloaderremcosremotehostdownloaderrat

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=1BZ2BJVzqOMDwarpjiTzKEiwa42W1Dj9q

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.96.14.18:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-BTMV7H

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      5fcfdf0e241a0347f9ff9caa897649e7fe8f25757b39c61afddbe288202696d5.vbs

    • Size

      167KB

    • MD5

      9623c946671c6ec7a30b7c45125d5d48

    • SHA1

      dc7da278ed35fe96de7b2897a2153623ab529ee5

    • SHA256

      5fcfdf0e241a0347f9ff9caa897649e7fe8f25757b39c61afddbe288202696d5

    • SHA512

      1dc5fd1933eb534e91e7e2ab6975869de23f0f63aa1d9d7a2e31afec64a92d258fafcd7e5908a10fc35a038dc7f140cb50daa4f99d23763e1f6333e048f8c750

    • SSDEEP

      3072:fT4ojdIIu3UZqsYIDDwly91P3li6vGWbpyQ61uBZUZsaWO5stMuks:fT4ojdGrMXwloV1i6vrV1Z2WO8Mq

    Score
    10/10
    guloaderremcosremotehostdownloaderrat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks