Overview

overview

10

Static

static

1

5fcfdf0e24...d5.vbs

windows7-x64

10

5fcfdf0e24...d5.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5fcfdf0e241a0347f9ff9caa897649e7fe8f25757b39c61afddbe288202696d5.zip

  • Size

    89KB

  • Sample

    230321-r4qb2ade4w

  • MD5

    974b84a069a8466437463cf909302b23

  • SHA1

    4e8b162d9e63fec2a9665709594542e29020c6f5

  • SHA256

    52e29f8243abc4fcb9a6f6d5af8e21709f47abf28c46eb3382e3b096d24aca08

  • SHA512

    194b687aafad949ca61877ab181602f88f3aec0ee0064f904b25a68e6908a31123a090216a6ef4e3b58c5da1f7565e509337cf4685d4a98813a61177e2f3b966

  • SSDEEP

    1536:HPn3qE4OFxexd+QyUGgn7kW/EOF2IFQ+CMFR09HuvN5INNmrCBQpIgTz:HP3qE4bZG87BFddFLV5qNmWapIs

Score
10/10
guloaderremcosremotehostdownloaderrat

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=1BZ2BJVzqOMDwarpjiTzKEiwa42W1Dj9q

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.96.14.18:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-BTMV7H

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      5fcfdf0e241a0347f9ff9caa897649e7fe8f25757b39c61afddbe288202696d5.vbs

    • Size

      167KB

    • MD5

      9623c946671c6ec7a30b7c45125d5d48

    • SHA1

      dc7da278ed35fe96de7b2897a2153623ab529ee5

    • SHA256

      5fcfdf0e241a0347f9ff9caa897649e7fe8f25757b39c61afddbe288202696d5

    • SHA512

      1dc5fd1933eb534e91e7e2ab6975869de23f0f63aa1d9d7a2e31afec64a92d258fafcd7e5908a10fc35a038dc7f140cb50daa4f99d23763e1f6333e048f8c750

    • SSDEEP

      3072:fT4ojdIIu3UZqsYIDDwly91P3li6vGWbpyQ61uBZUZsaWO5stMuks:fT4ojdGrMXwloV1i6vrV1Z2WO8Mq

    Score
    10/10
    guloaderremcosremotehostdownloaderrat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks