Overview

overview

10

Static

static

3

1353d23184...ea.exe

windows7-x64

10

1353d23184...ea.exe

windows10-2004-x64

7

ravnemoren...ns.ps1

windows7-x64

8

ravnemoren...ns.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe

  • Size

    520KB

  • Sample

    240422-nnad4aah51

  • MD5

    ef53493176b714d7c8c972a756cfd806

  • SHA1

    c7c08850f9dd1706a2a2a5b456f5de2b25eb200c

  • SHA256

    1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea

  • SHA512

    eab8465a629001a43631724aaa9293c229286bebb33c943ce197ce5f17419b9b91c6f9be86c4dec68d4b099871abf3fa05807e99876ffa0ee3497f3a5abac2fa

  • SSDEEP

    12288:fnPdhsFldr2BFS3Cr3HUNdAfZBAfYKBuyhleDJB:vPdhoeBYSrHU7K9KBuRJB

Score
10/10
guloaderremcosremotehostcollectiondownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

209.90.234.20:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-YDAEDG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe

    • Size

      520KB

    • MD5

      ef53493176b714d7c8c972a756cfd806

    • SHA1

      c7c08850f9dd1706a2a2a5b456f5de2b25eb200c

    • SHA256

      1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea

    • SHA512

      eab8465a629001a43631724aaa9293c229286bebb33c943ce197ce5f17419b9b91c6f9be86c4dec68d4b099871abf3fa05807e99876ffa0ee3497f3a5abac2fa

    • SSDEEP

      12288:fnPdhsFldr2BFS3Cr3HUNdAfZBAfYKBuyhleDJB:vPdhoeBYSrHU7K9KBuRJB

    Score
    10/10
    guloaderremcosremotehostcollectiondownloaderrat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      ravnemorens/Frsteinstanserne/Instantiations.Lil

    • Size

      54KB

    • MD5

      63d0c546b30964e943c2ac8fd5e236db

    • SHA1

      7d46713cb1d3cbfe25efcaf24369fb067d310920

    • SHA256

      eb26aa5b4ec7a1c0c0ad2be344c02a23f770815a40e84e5b1b5fe24c9b64edda

    • SHA512

      91399fec920e3be9526e1af39a632512c6c00cea3566a9ce43fdbadf813c5b2b830620bfc381747b195a4e2c52b8ef4d81295b484ea6ed925979a97b8cf6a1ed

    • SSDEEP

      768:stRSpMsDEBbiYzC9AUQg+Fj0VY6fgw8cl+ZzPhkrV439KaEJQkP5HF0GEFGRGI:uRUM0qbiCYYo3gnZzPKrOtKaiT8rE

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks