Malware Analysis Report

2024-11-15 10:21

Sample ID 241105-qt1vca1mhs
Target e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf
SHA256 e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf
Tags
discovery guloader remcos remotehost downloader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf

Threat Level: Known bad

The file e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf was found to be: Known bad.

Malicious Activity Summary

discovery guloader remcos remotehost downloader rat

Guloader family

Remcos family

Remcos

Guloader,Cloudeye

Loads dropped DLL

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 13:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 13:33

Reported

2024-11-05 13:36

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\kvindagtigt.ini C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe

"C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 524

Network

N/A

Files

C:\Program Files (x86)\Common Files\kvindagtigt.ini

MD5 f298228d2d42ced0a00b0c5320000835
SHA1 fb06f02ddcda4c9ec752a688ee617064db3a49eb
SHA256 e399afe89f97eae7bcdae626913da1618f4f42ba11887217cdbf524720532ab2
SHA512 464da89f9e1d5935810443b20c3d19f77585d964df89f5cb427482a03c8ef6274d06cbc01533d92c691ffd55e1725ba5f427d023a45a5128bced0eee11e083fe

\Users\Admin\AppData\Local\Temp\nsy5C25.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

memory/1860-296-0x0000000003B90000-0x00000000055EF000-memory.dmp

memory/1860-297-0x0000000003B90000-0x00000000055EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 13:33

Reported

2024-11-05 13:36

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\kvindagtigt.ini C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe

"C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe"

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe

"C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 212.162.149.38:80 212.162.149.38 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 38.149.162.212.in-addr.arpa udp
US 162.251.122.106:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
US 162.251.122.106:2404 tcp
US 8.8.8.8:53 106.122.251.162.in-addr.arpa udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Program Files (x86)\Common Files\kvindagtigt.ini

MD5 f298228d2d42ced0a00b0c5320000835
SHA1 fb06f02ddcda4c9ec752a688ee617064db3a49eb
SHA256 e399afe89f97eae7bcdae626913da1618f4f42ba11887217cdbf524720532ab2
SHA512 464da89f9e1d5935810443b20c3d19f77585d964df89f5cb427482a03c8ef6274d06cbc01533d92c691ffd55e1725ba5f427d023a45a5128bced0eee11e083fe

C:\Users\Admin\AppData\Local\Temp\nspB816.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

memory/1088-294-0x0000000004700000-0x000000000615F000-memory.dmp

memory/1088-295-0x0000000077241000-0x0000000077361000-memory.dmp

memory/1088-296-0x0000000073E95000-0x0000000073E96000-memory.dmp

memory/1088-297-0x0000000004700000-0x000000000615F000-memory.dmp

memory/2960-298-0x0000000001AA0000-0x00000000034FF000-memory.dmp

memory/2960-299-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-300-0x0000000001AA0000-0x00000000034FF000-memory.dmp

memory/2960-301-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-305-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-309-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-312-0x0000000000840000-0x0000000001A94000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 1bf491f46a891234950a4ce22ca78ee1
SHA1 fee0ce89e6bc8e48255c9106a1e09335775ab73d
SHA256 16a0a37e381e2d98038f0372d6f0adf0778a5620085e85a4aa44d8c88a064b16
SHA512 7698d12bf579cbe8e73402079d64c49e25ed346d6f5487f484297f15c66baaa39f61fbffd60f367cc14cae0a0c79bccd4c72e46b02b5db02529775cc24344bb4

memory/2960-315-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-318-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-321-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-324-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-327-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-330-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-333-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-336-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-339-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/2960-342-0x0000000000840000-0x0000000001A94000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-05 13:33

Reported

2024-11-05 13:36

Platform

win7-20241010-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-05 13:33

Reported

2024-11-05 13:36

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 4800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3420 wrote to memory of 4800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3420 wrote to memory of 4800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A