Overview

overview

10

Static

static

3

CMR CA4653...-7.exe

windows10-1703-x64

10

CMR CA4653...-7.exe

windows10-2004-x64

10

Resubmissions

11-10-2023 08:53

231011-ktqfqace3x 10

11-10-2023 08:40

231011-kk87gabh4w 10

11-10-2023 08:23

231011-kaf3yada69 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    745ddcf53d5143cc0d10eab6726401d4.bin

  • Size

    792KB

  • Sample

    231011-ktqfqace3x

  • MD5

    745ddcf53d5143cc0d10eab6726401d4

  • SHA1

    c3b7e11ebfe59a64447f61308788a8275d709fd9

  • SHA256

    2222cfde2a4fb474984f2dec6e7819fc722889ede5bb9b6bad905e273c52db80

  • SHA512

    af6b2c9a1771495c1b3aa8f778b51aedb4842dbb9cd92169c028ba2c55232a169c20ede1979af49fcd954aa044c6d78e0806291e869bf7c3f00c3ea9bcdb6a21

  • SSDEEP

    12288:+Mrdkb1W/dpEej9o6VXKCRRkraYpd+VG7bEOQiW+y2nGebyk8j:+CkboPEem6VXlR9YpdxfExFLkC

Score
10/10
guloaderremcoscrypteddownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Crypted

C2

ourt2949aslumes9.duckdns.org:2401

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    paqlgkfs.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    ourvbpld-RBN2WW

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      CMR CA4653XT -10-10-2023-7.exe

    • Size

      807KB

    • MD5

      6f7d51ec00fe651601b179d7af7be2cf

    • SHA1

      e199b506d0ac0a5c61af8224f69da19a3940a0dc

    • SHA256

      bc1401e81ad110669077ad7e3f0c57fb80b04b06397e5a4d384c7bb80dec4361

    • SHA512

      97f719f94373e7ed2f38e2915b926176909c9da87cc1d579ee5fd21c347f7b56ae2c614a8ed8ed13872d40ff84f081949915ca74eec2cb348ba8a75c27f046bf

    • SSDEEP

      12288:qYoVFrdkb10/dREKj9g6VdKCRTU9aYTd+PGZb8OQEW+G2DsebUk8s:qYoVHkb6TEiW6VdlTtYTd7p8x/7kF

    Score
    10/10
    guloaderremcoscrypteddownloaderpersistencerat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks