Overview

overview

10

Static

static

1

a7ab5280ef...10.exe

windows7-x64

10

a7ab5280ef...10.exe

windows10-2004-x64

10

Reservebeh...er.ps1

windows7-x64

8

Reservebeh...er.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    82d06e2792747b46de0d380084e555b5351701543b1eb13289a0ba199c09797a

  • Size

    439KB

  • Sample

    240417-qjx1psae9t

  • MD5

    eff4e732cc6af6bde9706f6b76191107

  • SHA1

    8a31fddb8dce807edd229008f80553dda9d2670c

  • SHA256

    82d06e2792747b46de0d380084e555b5351701543b1eb13289a0ba199c09797a

  • SHA512

    8a0cc98feff874f360501b5998180bee302d86bc5cf0b85553113edc30d92d7047390ceea9c89c8c643b8b483ece30e3083ff07fe4d7e0a05e69b2635fca8bf7

  • SSDEEP

    12288:3BiEw9u4L5zVxhwvg1WevOAmbsOofq9wO:3/+xLbFxv9mwOoC9x

Score
10/10
guloaderremcosgracecollectiondownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

GRACE

C2

eweo9264gtuiort.duckdns.org:35966

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    ghyhne.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    gtsyhbnj-ZGGA79

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410.exe

    • Size

      692KB

    • MD5

      0613b5c6e1cbce2a95749aad0f66d0a5

    • SHA1

      7efd22ff2aeed3bbe316bf99126b6934da672128

    • SHA256

      a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410

    • SHA512

      e00bd747a765de4f07b162b85f3a9d0f054155fd48dc6fa08658d8e3a7b45403664943958a3dc3b4bcf67a2c59f2f6fddc94245a5c97d164099379dfdc73307d

    • SSDEEP

      12288:Hpwiapd/PNMdUhTvaqOyXudHs+feJOgxQN08QbXyTTFakU5zxmRgZYqMC:HauFPfeQdQbX4FytdZnMC

    Score
    10/10
    guloaderremcosgracedownloaderpersistenceratcollection

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Reservebeholdninger.Dak175

    • Size

      58KB

    • MD5

      a687f6d2ecff91aee4bd9e4d16a35089

    • SHA1

      d2666e69bc1455afb305dc880889acedbd0fab03

    • SHA256

      9667fc1a9915b7e9b53ec8d2d8711bf4855ca01420538e152e6f4624db54436c

    • SHA512

      284b000a92f44c171188bf540f5fb36b564c0fbd381d548cd3cffc74efc43e8acdf12d7db2da4228d1bbcde1658c3136d989b9f0c70bcd1ecbae8276cba1c759

    • SSDEEP

      1536:nEKsdqJnD8vjXSYoDO27FaOwfbUiemRLlvsbeeF5q2GY6E/0k5pS:nnsdqJD8vjXSY67F1wDUANuvN5s

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks