Overview

overview

10

Static

static

1

Carlispa_O...17.vbs

windows7-x64

10

Carlispa_O...17.vbs

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Carlispa_Ordine_00401702400417.iso

  • Size

    248KB

  • Sample

    240417-qndgvsah2x

  • MD5

    a1369541890d9ce089123c0c9dcadd2a

  • SHA1

    b0fe01cb16cebb85a997d84240dc60a3e7a0beb9

  • SHA256

    1c3db7d3d072707e609209a6e1bf54b830a0db37145d088a28894c0458564595

  • SHA512

    43c02fa5d03660f93c01758ff008a0e5bb47d9505a409c054bb85648c180c7321ee2926f1a797b2d0156088e1e1dbf80537d48e37bd08105593b46bf9afbf558

  • SSDEEP

    6144:GrR8ccABOwbDA2zJETxVu1vH/rsqfXB2moC:Ocyoq

Score
10/10
guloaderremcosprotectdownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Protect

C2

darvien99lakoustr01.duckdns.org:3770

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    lmouitrs.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    akmsnxbfg-E906PA

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Carlispa_Ordine_00401702400417.vbs

    • Size

      187KB

    • MD5

      947d8500e25de01d02c5dc254d67c248

    • SHA1

      c073a8f64f2cbb46a1ea768b8c701d17a413b984

    • SHA256

      fbd7521613eeda606382f56a500c5015af001af819556b056bd1ef076820e297

    • SHA512

      fa53189ba4094b1af7a514acf85f832fe51ea2714afb4adea87193ead46c0e01c78f76ccfd342db58bddb45be237bf7d03326194553243d3085488b026294669

    • SSDEEP

      3072:2+w8jqrKK8ccABOwbDS2y2zJETxUuoHh36wH/OLxCxTwvNPapsCRXBDo5mFSartr:GrR8ccABOwbDA2zJETxVu1vH/rsqfXB7

    Score
    10/10
    guloaderremcosprotectdownloaderpersistencerat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks