Overview

overview

10

Static

static

3

INQUIRY#46...TS.exe

windows7-x64

10

INQUIRY#46...TS.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INQUIRY#46789-MAY_24_PRODUCTS.exe

  • Size

    414KB

  • Sample

    240527-hrg1fscf45

  • MD5

    b0058626c77841fea067aa436ff4f1e7

  • SHA1

    cb42fd42e35ffaab9eb7000f0e3df59c2ba4ec7a

  • SHA256

    0459c020742f5356d25d14f2cd937ecee923a54402246dc521452a6c9b353119

  • SHA512

    76caef3ebcde654c9237110a632c4acb1397843aee53fbff73d6686233d0fce0ffae12ab2764abea3fc8426379f306bc65ccdec4d9fda468d300fcb5054d74c3

  • SSDEEP

    6144:Y7eCdHpEMIeSdeNuUeOR7LTmlE8uf58dnABhc+Ku5hygOdtUwj0TnmuqXdG:6PNAd7nOtS4EJi5hygoRu6Xw

Score
10/10
guloaderremcosceyecollectiondownloaderpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

CEYE

C2

64.188.26.202:1604

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Vexploio.exe

  • copy_folder

    Vexplo

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-RXKA3P

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      INQUIRY#46789-MAY_24_PRODUCTS.exe

    • Size

      414KB

    • MD5

      b0058626c77841fea067aa436ff4f1e7

    • SHA1

      cb42fd42e35ffaab9eb7000f0e3df59c2ba4ec7a

    • SHA256

      0459c020742f5356d25d14f2cd937ecee923a54402246dc521452a6c9b353119

    • SHA512

      76caef3ebcde654c9237110a632c4acb1397843aee53fbff73d6686233d0fce0ffae12ab2764abea3fc8426379f306bc65ccdec4d9fda468d300fcb5054d74c3

    • SSDEEP

      6144:Y7eCdHpEMIeSdeNuUeOR7LTmlE8uf58dnABhc+Ku5hygOdtUwj0TnmuqXdG:6PNAd7nOtS4EJi5hygoRu6Xw

    Score
    10/10
    guloaderremcosceyecollectiondownloaderpersistenceratspywarestealer

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fbe295e5a1acfbd0a6271898f885fe6a

    • SHA1

      d6d205922e61635472efb13c2bb92c9ac6cb96da

    • SHA256

      a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

    • SHA512

      2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

    • SSDEEP

      192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks