Overview

overview

10

Static

static

1

c1d4c7dc61...9b.vbs

windows7-x64

8

c1d4c7dc61...9b.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a62b92b851b7fe1cc590518f87fd4352.bin

  • Size

    505KB

  • Sample

    230703-b26cgaec87

  • MD5

    e6bf653f3213d847aec1db70c209dd92

  • SHA1

    3b8b1c3fda1208531c65e447f136aa8201fd76a6

  • SHA256

    2a3f359fbc1c8fbdf978b8388c6f847254a6e016cf6c627dc181cb508469ac6b

  • SHA512

    5f606c966c9e1c407631b9e6175b28cbc3ce0ab7ae1a179909aa3b501b7034c6199bf6cc61d3a1ccdcce679293b5816f368eb6afc128eb90fefbcd1e7ff574ef

  • SSDEEP

    12288:V+4tLENSKEPBPH2JzOKnRvYFY3JANWkNGkcJ4iL:1PdHez9RQO5AkkwlaiL

Score
10/10
guloaderremcosadobepdfdownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

AdobePDF

C2

apdfhost.online:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-X1WV4F

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      c1d4c7dc612e1d28a4b60fa08ae4ff9ce839a3a2b248059602156a0edd58399b.vbs

    • Size

      1.9MB

    • MD5

      a62b92b851b7fe1cc590518f87fd4352

    • SHA1

      5aecad0a58f80061d2af0067aa3757dc330e523c

    • SHA256

      c1d4c7dc612e1d28a4b60fa08ae4ff9ce839a3a2b248059602156a0edd58399b

    • SHA512

      f0ee5a49258f1f55422bfbb28956e7f8d446eda1262f550d0c2a330b4c791b659c3f842c33e28648200d50c350e23b5a3ce8c5ff4e7e54e5ae16769ec710b893

    • SSDEEP

      24576:QuuuuuuuuuuuuuuuuuuuuuuuuuuuuuunA:QuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuA

    Score
    10/10
    guloaderremcosadobepdfdownloaderpersistencerat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks