Overview

overview

10

Static

static

3

86b6cfdcb0...08.exe

windows7-x64

10

86b6cfdcb0...08.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe

  • Size

    498KB

  • Sample

    241009-x3ag3sscmj

  • MD5

    4a0c104a8b44b6607bf92dc24972db67

  • SHA1

    7950f8f92c4778f16e7f10313233ea6ddec0b990

  • SHA256

    86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208

  • SHA512

    a142af9a7c5c9221f185245ca3834432cdc5a19bca51c15d27ce51bdbf8c609e5dc75241e58616f84c3001685b923696b7ca04e97e13c54212739ed2f68e9698

  • SSDEEP

    6144:AC2Evn/IvIrb2mU/Vy5NkiQETBtCK1A/Dsz0KIS8QxNRuv0j1JtX7PXjrnCgLa55:VnC8CmU/MjkoBtCKmwxNEgzjLEcvB0

Score
10/10
guloaderremcosremotehostdiscoverydownloaderrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

ejikeguys.lol:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-IR0L2E

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe

    • Size

      498KB

    • MD5

      4a0c104a8b44b6607bf92dc24972db67

    • SHA1

      7950f8f92c4778f16e7f10313233ea6ddec0b990

    • SHA256

      86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208

    • SHA512

      a142af9a7c5c9221f185245ca3834432cdc5a19bca51c15d27ce51bdbf8c609e5dc75241e58616f84c3001685b923696b7ca04e97e13c54212739ed2f68e9698

    • SSDEEP

      6144:AC2Evn/IvIrb2mU/Vy5NkiQETBtCK1A/Dsz0KIS8QxNRuv0j1JtX7PXjrnCgLa55:VnC8CmU/MjkoBtCKmwxNEgzjLEcvB0

    Score
    10/10
    guloaderremcosremotehostdiscoverydownloaderrat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      375e8a08471dc6f85f3828488b1147b3

    • SHA1

      1941484ac710fc301a7d31d6f1345e32a21546af

    • SHA256

      4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

    • SHA512

      5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

    • SSDEEP

      192:MPtkumJX7zB22kGwfy0mtVgkCPOs91un:9702k5qpds9Qn

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      4bbc9d77ef7f748f8c85750c3a445f0a

    • SHA1

      d57a8304bb44ccdb3163b880b3c1bb213461399d

    • SHA256

      482536968672d70279a5204060ff84ace25237f24b1bdf3b02e289d50ea5450c

    • SHA512

      b9430939daab0c8b7e77b96f2f7f85e8e1abd9f43eccbdf94078f77ef05b31a2a31f04ca3a2eff5aa7cc965029ed437af2eb100c197ef51f128ca827ad20e902

    • SSDEEP

      96:z7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgN63e:fXhHR0aTQN4gRHdMqJVgNp

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks