Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://bazaar.abuse...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://bazaar.abuse.ch/sample/c4285d31e8669ee5b08aa43ec05210c89ccd947c393dd1ba9cb8a074d8ab3841/

  • Sample

    230407-k68g3aae71

Score
10/10
gcleanerremcosremotehostbootkitdiscoveryevasionloaderpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:53399

109.206.243.162:53399
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-TBK4U0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Path

C:\Program Files\7-Zip\Lang\HOW TO DECRYPT FILES.txt

Ransom Note
All your important files were encrypted on this computer. You can verify this by click on see files an try open them. Encrtyption was produced using unique KEY generated for this computer. To decrypted files, you need to otbtain private key. The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet; The server will destroy the key within 24 hours after encryption completed. Payment have to be made in maxim 24 hours To retrieve the private key, you need to pay 3 BITCOINS Bitcoins have to be sent to this address: 1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK After you've sent the payment send us an email to : fast_decrypt_and_protect@tutanota.com with subject : ERROR-ID-63100778(3BITCOINS) If you are not familiar with bitcoin you can buy it from here : SITE : www.localbitcoin.com After we confirm the payment , we send the private key so you can decrypt your system.
Emails

fast_decrypt_and_protect@tutanota.com

Wallets

1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK

Targets

    • Target

      https://bazaar.abuse.ch/sample/c4285d31e8669ee5b08aa43ec05210c89ccd947c393dd1ba9cb8a074d8ab3841/

    Score
    10/10
    gcleanerremcosremotehostbootkitdiscoveryevasionloaderpersistenceransomwareratspywarestealertrojanupx

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies Windows Defender notification settings

      evasiontrojan

    • Modifies security service

      evasion

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Sets file execution options in registry

      persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

3
T1031

New Service

1
T1050

Registry Run Keys / Startup Folder

3
T1060

Bootkit

1
T1067

Scheduled Task

1
T1053

Privilege Escalation

New Service

1
T1050

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

9
T1112

Disabling Security Tools

3
T1089

File Deletion

2
T1107

Virtualization/Sandbox Evasion

1
T1497

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

10
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

9
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks