Overview

overview

10

Static

static

3

43319fa796...cb.exe

windows7-x64

10

43319fa796...cb.exe

windows10-2004-x64

10

jebliksbil...en.ps1

windows7-x64

8

jebliksbil...en.ps1

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    43319fa796c6b542426e4e853a26a12d9a1cd49687878484a5bae88d246600cb.exe

  • Size

    383KB

  • Sample

    240430-mw3vyaae8y

  • MD5

    23e67f856583bc4edbab6d66fb5d3519

  • SHA1

    335d696e7448570c632dc0b6f3aadfe69262d2ef

  • SHA256

    43319fa796c6b542426e4e853a26a12d9a1cd49687878484a5bae88d246600cb

  • SHA512

    893f81e5c0a8e64b4a2ab2edee73b7867255154191cd73ca9faddfc3c7c68454689dc3b297c7cf3bb51f14f3910fb9c0ff6f1ce5f1139961a8153e54c9868ffc

  • SSDEEP

    6144:HT4DtVpZI3UNWc3n5C3Tsc8XANjZ8S+ztjsNtsZ7X9/wkm8mKuUE2OCQpPAvFeVY:HTgYEztxwquUfNQZAvsl9pSTlDt

Score
10/10
guloaderremcostopdownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Top

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    mqerms.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    alpwovnb-G3F5OR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      43319fa796c6b542426e4e853a26a12d9a1cd49687878484a5bae88d246600cb.exe

    • Size

      383KB

    • MD5

      23e67f856583bc4edbab6d66fb5d3519

    • SHA1

      335d696e7448570c632dc0b6f3aadfe69262d2ef

    • SHA256

      43319fa796c6b542426e4e853a26a12d9a1cd49687878484a5bae88d246600cb

    • SHA512

      893f81e5c0a8e64b4a2ab2edee73b7867255154191cd73ca9faddfc3c7c68454689dc3b297c7cf3bb51f14f3910fb9c0ff6f1ce5f1139961a8153e54c9868ffc

    • SSDEEP

      6144:HT4DtVpZI3UNWc3n5C3Tsc8XANjZ8S+ztjsNtsZ7X9/wkm8mKuUE2OCQpPAvFeVY:HTgYEztxwquUfNQZAvsl9pSTlDt

    Score
    10/10
    guloaderdownloaderpersistenceremcostoprat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      jebliksbilledes/Unrelative/Sikkativers/Regredieredes/Fastkurspolitikken.Vol

    • Size

      60KB

    • MD5

      2a4c059165f67c3923409c13eb335f08

    • SHA1

      327454ea9cef3b257a7a154bc75aa1dac1dc77d1

    • SHA256

      f383eb80238916fd6c00c1513464f841fefb622aad04f345f4bc69f8a24aa8b1

    • SHA512

      d1d1898f852d9fb3af766fea3e06ffefad91af0bc4d5652716103f6f2151118b5129d8c9707fcaf14d3e16654f7148163b80ec03a3e2a4bbb036575666392560

    • SSDEEP

      768:bxvCc7TZ/G5kUwtoHQsp55qLP4vozxzNVqsZPiL3B3uy1LnUIz75zx7IwUER81uu:1qJ+ltCWP3NzNVqLj5bDd9NxouDgUSV

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks