Overview

overview

10

Static

static

3

3035773a6f...04.exe

windows7-x64

7

3035773a6f...04.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3035773a6fd96df3c95f7b3c966cc204.exe

  • Size

    431KB

  • Sample

    240923-n9qm7szbne

  • MD5

    3035773a6fd96df3c95f7b3c966cc204

  • SHA1

    8edaa8a7551b35e08e4ba8574a29440023813e85

  • SHA256

    3651fbb3c17ca4bc7590476dad23c1fbd773bc3595313d87ac23eff91c203586

  • SHA512

    1fbb1e59e9999bed11f15dace727c745fa788f0d26cf887b924670eead5b1ece5a6ed9c8702f0d83c71734fefd95893bf06fbdb3cb6b52e777ca4ae2c7fa40e7

  • SSDEEP

    12288:AgGlyn9K5Fy1sDLwdr0jD2O7yvZ4Gl1Wb6:AgEUc58sfPjdGuUWb6

Score
10/10
guloaderremcosgrace&successdiscoverydownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

GRACE&SUCCESS

C2

eweo9264gtuiort.duckdns.org:22740

eweo9264gtuiort.duckdns.org:35966
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    great.dat

  • keylog_flag

    false

  • keylog_folder

    great

  • mouse_option

    false

  • mutex

    Rmc-GEOGQB

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      3035773a6fd96df3c95f7b3c966cc204.exe

    • Size

      431KB

    • MD5

      3035773a6fd96df3c95f7b3c966cc204

    • SHA1

      8edaa8a7551b35e08e4ba8574a29440023813e85

    • SHA256

      3651fbb3c17ca4bc7590476dad23c1fbd773bc3595313d87ac23eff91c203586

    • SHA512

      1fbb1e59e9999bed11f15dace727c745fa788f0d26cf887b924670eead5b1ece5a6ed9c8702f0d83c71734fefd95893bf06fbdb3cb6b52e777ca4ae2c7fa40e7

    • SSDEEP

      12288:AgGlyn9K5Fy1sDLwdr0jD2O7yvZ4Gl1Wb6:AgEUc58sfPjdGuUWb6

    Score
    10/10
    discoveryguloaderremcosgrace&successdownloaderpersistencerat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks