Overview

overview

10

Static

static

1

PI - MLTI.xlsx

windows7-x64

10

PI - MLTI.xlsx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PI - MLTI.xlsx

  • Size

    747KB

  • Sample

    230609-l1daeacf3w

  • MD5

    e72008da6bba31e17cbc8f65a2d7207e

  • SHA1

    d1973956016566f112f60709e5e93f32bb854fa7

  • SHA256

    5fd107a707b28c46222eff99294f03139520f8f209b3af75800b7b098ec9b29d

  • SHA512

    9f3494ec6682ffd79d4ead74c45dd43a04d46d23ccde180bb66b56f671a9987c17c0a8bc3e215e1e0716759da1129762c2740315ed57becb6e871ae891e591ce

  • SSDEEP

    12288:DBb50DGxsHO4CnMHFgPbRC46/YGEJZV6rNG3iGt6yjY5bsikGruDLteS/eo0Ls:t5dJXnMHFg1FyG3iE0Fk208SmoX

Score
10/10
guloaderremcosawelle-hostdownloaderrat

Malware Config

Extracted

Family

remcos

Botnet

Awelle-Host

C2

gdyhjjdhbvxgsfe.gotdns.ch:2718

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-W62KZF

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      PI - MLTI.xlsx

    • Size

      747KB

    • MD5

      e72008da6bba31e17cbc8f65a2d7207e

    • SHA1

      d1973956016566f112f60709e5e93f32bb854fa7

    • SHA256

      5fd107a707b28c46222eff99294f03139520f8f209b3af75800b7b098ec9b29d

    • SHA512

      9f3494ec6682ffd79d4ead74c45dd43a04d46d23ccde180bb66b56f671a9987c17c0a8bc3e215e1e0716759da1129762c2740315ed57becb6e871ae891e591ce

    • SSDEEP

      12288:DBb50DGxsHO4CnMHFgPbRC46/YGEJZV6rNG3iGt6yjY5bsikGruDLteS/eo0Ls:t5dJXnMHFg1FyG3iE0Fk208SmoX

    Score
    10/10
    guloaderremcosawelle-hostdownloaderrat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks