Overview

overview

10

Static

static

3

88885269b4...91.exe

windows7-x64

10

88885269b4...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/07/2023, 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88885269b4db455ec1a487c78f199554743e9d1152b876e8cc03cd99e6340491.exe

  • Size

    224KB

  • MD5

    9df78bffb685bad609163dcb409f94bf

  • SHA1

    bed934ea2ddc5bcbd971c7f10fb147d74570c7f4

  • SHA256

    88885269b4db455ec1a487c78f199554743e9d1152b876e8cc03cd99e6340491

  • SHA512

    9cc7600d4f49b48727f619a39235697ddf891554134b5ac1b27f68fbc16b1b7fc599a0700d05bfaf182050c3d053fb13d2017bb674981c2a10871760b26017df

  • SSDEEP

    3072:yAwC5wP7dePo8fCcHbbARFdPkw6nDEgyYYkQQrFkCwJZ2REcmVv/qNrPjoKXdU4C:yx/MtGFdxUuk5FkdQ6SRjFXYk8/

Score
10/10
guloaderremcosrawrawdiscoverydownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

rawRaw

C2

coto-ar.com:34087

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-UODPLC

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88885269b4db455ec1a487c78f199554743e9d1152b876e8cc03cd99e6340491.exe
    "C:\Users\Admin\AppData\Local\Temp\88885269b4db455ec1a487c78f199554743e9d1152b876e8cc03cd99e6340491.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Users\Admin\AppData\Local\Temp\88885269b4db455ec1a487c78f199554743e9d1152b876e8cc03cd99e6340491.exe
      "C:\Users\Admin\AppData\Local\Temp\88885269b4db455ec1a487c78f199554743e9d1152b876e8cc03cd99e6340491.exe"
      2⤵
      • Checks QEMU agent file
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsf6C48.tmp\System.dll
    Filesize

    11KB

    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsf6C48.tmp\System.dll
    Filesize

    11KB

    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsf6C48.tmp\System.dll
    Filesize

    11KB

    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit

  • memory/2960-209-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2960-206-0x0000000001660000-0x0000000003C71000-memory.dmp

    Filesize

    38.1MB

    Download

  • memory/2960-185-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2960-186-0x0000000001660000-0x0000000003C71000-memory.dmp

    Filesize

    38.1MB

    Download

  • memory/2960-188-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2960-189-0x0000000001660000-0x0000000003C71000-memory.dmp

    Filesize

    38.1MB

    Download

  • memory/2960-202-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2960-213-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2960-208-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2960-212-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2960-210-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2960-211-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/5052-183-0x00000000063D0000-0x00000000089E1000-memory.dmp

    Filesize

    38.1MB

    Download

  • memory/5052-184-0x00000000063D0000-0x00000000089E1000-memory.dmp

    Filesize

    38.1MB

    Download