Overview

overview

10

Static

static

1

dhl_doc_aw...24.vbs

windows7-x64

10

dhl_doc_aw...24.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.7z

  • Size

    22KB

  • Sample

    240419-pd4evsbd55

  • MD5

    6208bd00d2a8f3c90a8849fb0659af91

  • SHA1

    8dd4e3d91d75f5ffecb290732eb8503c8cd58450

  • SHA256

    b312e71220b5c1a59397380829978ee5e10404d28c9573f576459fdae6103507

  • SHA512

    395ada860a7cf77d880786b2b0f80e486e6054a506d4a7dd272d04ace1ea19b6cb836869358db1ef0db2abc266d568833897044fb615a6358cab10af0594507f

  • SSDEEP

    384:c/eyw/5ZveA/cwCnNMOG3yQEU6l6t9MbuEefxxgo+S0j4E0PrQin:x5ZvD/RCnyYBl6rMb5efxx5kjD0zQin

Score
10/10
guloaderremcosokudownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

OKU

C2

iwarsut775laudrye2.duckdns.org:57484

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    klgbvnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    lkjoetgtst-XYQOJR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbs

    • Size

      42KB

    • MD5

      5734e6a07be159df58b947596cad09dd

    • SHA1

      ee9358bab004d5c4e986172bbd0e1af6c85f6663

    • SHA256

      7f5ffd39a86f314a261131081bc9557a9f755222ac164bef9a2ee32a6c7b6cd3

    • SHA512

      bc420981fe9dbccc9ff71526794c186bbbcd13043bde99710db41f87eddd40ddb35b8c7606afff3634dea3ac1f0ae53b5e6667f44e0e5c64c88c752f4b1ab3ab

    • SSDEEP

      768:la5Mt7HMMhtM029ceFAyg0od10q1ZsaaNWVr96XtlyE:lLtFh1DeFAH0ofxKkWtl3

    Score
    10/10
    guloaderdownloaderpersistenceremcosokurat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks