Overview

overview

10

Static

static

1

a7ab5280ef...10.exe

windows7-x64

10

a7ab5280ef...10.exe

windows10-2004-x64

3

Reservebeh...er.ps1

windows7-x64

8

Reservebeh...er.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bb325a1a27e210b505fc7b7844424aebd14d2b30c819ce8abb0603df520d3a82

  • Size

    439KB

  • Sample

    240417-qd9gjsgg34

  • MD5

    9f4cbbbf4663b914b37c5aacf7431872

  • SHA1

    c52788fbd46d1b334757ab31d794bc5cabd3fa22

  • SHA256

    bb325a1a27e210b505fc7b7844424aebd14d2b30c819ce8abb0603df520d3a82

  • SHA512

    d6d3792ec2232bc686374b521444cb151b666a5deac33dabf1fe218faede34d0dbb8579f19464a8a4f16d54952ba371b8b23f099d7b31fa7fac2c4dd4f068adc

  • SSDEEP

    12288:DJDM/Ima7YCW72K5roiAn+pR7KsrfkSF64Th:D1q7wm22ro+pR2qfkwb

Score
10/10
guloaderremcosgracedownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

GRACE

C2

eweo9264gtuiort.duckdns.org:35966

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    ghyhne.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    gtsyhbnj-ZGGA79

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410.exe

    • Size

      692KB

    • MD5

      0613b5c6e1cbce2a95749aad0f66d0a5

    • SHA1

      7efd22ff2aeed3bbe316bf99126b6934da672128

    • SHA256

      a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410

    • SHA512

      e00bd747a765de4f07b162b85f3a9d0f054155fd48dc6fa08658d8e3a7b45403664943958a3dc3b4bcf67a2c59f2f6fddc94245a5c97d164099379dfdc73307d

    • SSDEEP

      12288:Hpwiapd/PNMdUhTvaqOyXudHs+feJOgxQN08QbXyTTFakU5zxmRgZYqMC:HauFPfeQdQbX4FytdZnMC

    Score
    10/10
    guloaderremcosgracedownloaderpersistencerat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Reservebeholdninger.Dak175

    • Size

      58KB

    • MD5

      a687f6d2ecff91aee4bd9e4d16a35089

    • SHA1

      d2666e69bc1455afb305dc880889acedbd0fab03

    • SHA256

      9667fc1a9915b7e9b53ec8d2d8711bf4855ca01420538e152e6f4624db54436c

    • SHA512

      284b000a92f44c171188bf540f5fb36b564c0fbd381d548cd3cffc74efc43e8acdf12d7db2da4228d1bbcde1658c3136d989b9f0c70bcd1ecbae8276cba1c759

    • SSDEEP

      1536:nEKsdqJnD8vjXSYoDO27FaOwfbUiemRLlvsbeeF5q2GY6E/0k5pS:nnsdqJD8vjXSY67F1wDUANuvN5s

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks