Overview

overview

10

Static

static

1

FINAL CMR....ew.exe

windows7-x64

10

FINAL CMR....ew.exe

windows10-2004-x64

10

Wambliness...et.ps1

windows7-x64

8

Wambliness...et.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FINAL CMR.-Transportauftrag Nachlauf new.exe

  • Size

    1004KB

  • Sample

    240422-vt958sdg87

  • MD5

    65776d668bf11116dd97b54c1c280fd5

  • SHA1

    512cb011ee03041f66456e052a39a4062113f6a7

  • SHA256

    0a53c3881a3fa2a2219dacf69df133a66250063ffee9cc35bfe1e56759286682

  • SHA512

    5e1e771596ed2f8e3737db2c349b45924def9ee0ba84865017abb2a4e1c3569f98c5526ed2781ee8361f1a7d0da2fa8c30cc4e757bb0b2519d542c06c830977c

  • SSDEEP

    24576:8IGB3Fr2WJfxpzXTuvMJbmhQU/YydIE5Ltp:ExZjuvMxmhB/Ylyp

Score
10/10
guloaderremcostopdownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Top

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    mqerms.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    alpwovnb-G3F5OR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      FINAL CMR.-Transportauftrag Nachlauf new.exe

    • Size

      1004KB

    • MD5

      65776d668bf11116dd97b54c1c280fd5

    • SHA1

      512cb011ee03041f66456e052a39a4062113f6a7

    • SHA256

      0a53c3881a3fa2a2219dacf69df133a66250063ffee9cc35bfe1e56759286682

    • SHA512

      5e1e771596ed2f8e3737db2c349b45924def9ee0ba84865017abb2a4e1c3569f98c5526ed2781ee8361f1a7d0da2fa8c30cc4e757bb0b2519d542c06c830977c

    • SSDEEP

      24576:8IGB3Fr2WJfxpzXTuvMJbmhQU/YydIE5Ltp:ExZjuvMxmhB/Ylyp

    Score
    10/10
    guloaderdownloaderpersistenceremcostoprat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Wambliness/Apollinarisernes/Tailet.Unm

    • Size

      56KB

    • MD5

      f2e779561795736d366beb06fa554a27

    • SHA1

      b94323b998671cda6aeb112ee4638ac059e17c46

    • SHA256

      e4ae0ff3adcacc0924c58ce16e8deab2a9968d789fac2cbbbba9d9f6a6e72531

    • SHA512

      4d8c925137983c61d3bc6c454b32a0d75eb050437353d4ce6acbed9feff131add0906007669e9c50289b9ac66d9927ce9c45776180791b79ee3386ebc87f5dc9

    • SSDEEP

      1536:wzPuCKLrlcdAqZ7EvzIZgAMEOBvr9Yf0J+0:wg5cjmzA7+5

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks