Overview

overview

10

Static

static

3

Belialist.exe

windows7-x64

10

Belialist.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24-10-2024 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Belialist.exe

  • Size

    511KB

  • MD5

    24d65daddfed0602d8c90b5dfa47b7bb

  • SHA1

    c46f000d10a66687cefd4a8fee1c8b3e84afd4b9

  • SHA256

    034d0ad83a1a41c3fb2be5110d68a545b2426a337006a7f34a2050a0c7a18b9a

  • SHA512

    09e16a15e18eb08f45f964fa271365e688507d561fc8567ce9417a54283dfb0785ef5a379456bb44cea187d7a5951521347a3e6f139560327460dfd449a6fe33

  • SSDEEP

    12288:OjkqENMhypm0dvksi4P60gnkwNpRp9gS1S:yEmh8rRkvc61k4s

Score
10/10
guloaderremcosremotehostdiscoverydownloaderrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.162.149.195:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9EP276

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Belialist.exe
    "C:\Users\Admin\AppData\Local\Temp\Belialist.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\Belialist.exe
      "C:\Users\Admin\AppData\Local\Temp\Belialist.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    0c6b44fad7d223e1283cca0abcec808f

    SHA1

    d3514863a419153da4b21382f2b1f32bca397c33

    SHA256

    2a3f16fb6380b7adef88bb4acf9baf43d27b9e81326d49a72deadf0144caff3d

    SHA512

    7a726d4ca84bce1704f5578b5e04e4d4555b6f08d2fedf9707ea1b17572e05d4f491d62b70b4cc6eb0811292afa6a73cfb1b453e929f8c5cd6f0b4fee28a6ded

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nseFA67.tmp\System.dll
    Filesize

    11KB

    MD5

    960a5c48e25cf2bca332e74e11d825c9

    SHA1

    da35c6816ace5daf4c6c1d57b93b09a82ecdc876

    SHA256

    484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

    SHA512

    cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

    Download Submit

  • memory/2280-25-0x0000000003250000-0x0000000005AAE000-memory.dmp

    Filesize

    40.4MB

    Download

  • memory/2280-22-0x0000000077271000-0x0000000077372000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2280-23-0x0000000077270000-0x0000000077419000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2280-21-0x0000000003250000-0x0000000005AAE000-memory.dmp

    Filesize

    40.4MB

    Download

  • memory/2280-20-0x0000000003250000-0x0000000005AAE000-memory.dmp

    Filesize

    40.4MB

    Download

  • memory/2780-24-0x0000000077270000-0x0000000077419000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2780-26-0x0000000000470000-0x00000000014D2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2780-32-0x0000000000470000-0x00000000014D2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2780-36-0x0000000000470000-0x00000000014D2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2780-37-0x0000000000470000-0x00000000014D2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2780-41-0x0000000000470000-0x00000000014D2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2780-44-0x0000000000470000-0x00000000014D2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2780-47-0x0000000000470000-0x00000000014D2000-memory.dmp

    Filesize

    16.4MB

    Download