Overview

overview

10

Static

static

3

f7962bec2e...10.exe

windows7-x64

7

f7962bec2e...10.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f7962bec2e9ae0913ca8c8b3349a306d5e6f200ec6c1531e35749bb00d1b6a10.exe

  • Size

    454KB

  • Sample

    241113-dl1hdsvkdt

  • MD5

    6ff1a159ea827fc4cc63417004a81030

  • SHA1

    e6412f570c1c3aa91e8e87a92a8a848547f9b94d

  • SHA256

    f7962bec2e9ae0913ca8c8b3349a306d5e6f200ec6c1531e35749bb00d1b6a10

  • SHA512

    0039a328696c002a533da4f51ece25b61e7bb4256bb2af5dff02fa338f9a18e0a69da5ea3618d2f4c746960aa2df3188a5c0c1b115568e81a1436fc6b85b9116

  • SSDEEP

    12288:eTLpZM7P6UknZxn/7kRizAMzd6V7+aqEsapYNd1:eT7M7P6FZQQRxC7+JEfpWd1

Score
10/10
guloaderremcosremotehostcollectiondiscoverydownloaderratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.162.149.195:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9EP276

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      f7962bec2e9ae0913ca8c8b3349a306d5e6f200ec6c1531e35749bb00d1b6a10.exe

    • Size

      454KB

    • MD5

      6ff1a159ea827fc4cc63417004a81030

    • SHA1

      e6412f570c1c3aa91e8e87a92a8a848547f9b94d

    • SHA256

      f7962bec2e9ae0913ca8c8b3349a306d5e6f200ec6c1531e35749bb00d1b6a10

    • SHA512

      0039a328696c002a533da4f51ece25b61e7bb4256bb2af5dff02fa338f9a18e0a69da5ea3618d2f4c746960aa2df3188a5c0c1b115568e81a1436fc6b85b9116

    • SSDEEP

      12288:eTLpZM7P6UknZxn/7kRizAMzd6V7+aqEsapYNd1:eT7M7P6FZQQRxC7+JEfpWd1

    Score
    10/10
    discoveryguloaderremcosremotehostcollectiondownloaderratspywarestealer

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks