Overview

overview

10

Static

static

1

a7ab5280ef...10.exe

windows7-x64

10

a7ab5280ef...10.exe

windows10-2004-x64

10

Reservebeh...er.ps1

windows7-x64

8

Reservebeh...er.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f898edd3ab9e6c0428533bc9523fe897bb6b76b2eb67581eec0434e3fd5b4660

  • Size

    439KB

  • Sample

    240417-p7q2mahg2z

  • MD5

    007f06bc5a638570f4d0a637bdd56360

  • SHA1

    669333ba2a0807594dc7ca44f6cd33f55581813c

  • SHA256

    f898edd3ab9e6c0428533bc9523fe897bb6b76b2eb67581eec0434e3fd5b4660

  • SHA512

    d7126e965368d58b8a5e4f3ff07d57fb9024157e82b83adde561d3a836a154b096cdf8c7e5b3af182152bba1d7ed881915d6f81e0711e1efd495f91448466cd5

  • SSDEEP

    12288:/geEMSt/rt01EYiTw/aHuxZmeSqWWMwOsTJfAI2:/xCxt0jiToTZHWWO4JfH2

Score
10/10
guloaderremcosgracecollectiondownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

GRACE

C2

eweo9264gtuiort.duckdns.org:35966

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    ghyhne.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    gtsyhbnj-ZGGA79

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410.exe

    • Size

      692KB

    • MD5

      0613b5c6e1cbce2a95749aad0f66d0a5

    • SHA1

      7efd22ff2aeed3bbe316bf99126b6934da672128

    • SHA256

      a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410

    • SHA512

      e00bd747a765de4f07b162b85f3a9d0f054155fd48dc6fa08658d8e3a7b45403664943958a3dc3b4bcf67a2c59f2f6fddc94245a5c97d164099379dfdc73307d

    • SSDEEP

      12288:Hpwiapd/PNMdUhTvaqOyXudHs+feJOgxQN08QbXyTTFakU5zxmRgZYqMC:HauFPfeQdQbX4FytdZnMC

    Score
    10/10
    guloaderdownloaderremcosgracecollectionpersistencerat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Reservebeholdninger.Dak175

    • Size

      58KB

    • MD5

      a687f6d2ecff91aee4bd9e4d16a35089

    • SHA1

      d2666e69bc1455afb305dc880889acedbd0fab03

    • SHA256

      9667fc1a9915b7e9b53ec8d2d8711bf4855ca01420538e152e6f4624db54436c

    • SHA512

      284b000a92f44c171188bf540f5fb36b564c0fbd381d548cd3cffc74efc43e8acdf12d7db2da4228d1bbcde1658c3136d989b9f0c70bcd1ecbae8276cba1c759

    • SSDEEP

      1536:nEKsdqJnD8vjXSYoDO27FaOwfbUiemRLlvsbeeF5q2GY6E/0k5pS:nnsdqJD8vjXSY67F1wDUANuvN5s

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks