Overview

overview

10

Static

static

3

quotation.exe

windows7-x64

10

quotation.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    475a71934a9da9e0120b9a922ba1d735243839cd3486640abd178a779a559efb.xz

  • Size

    763KB

  • Sample

    250213-echrnasnbn

  • MD5

    05c06d3bc6c2c14102821d778ecb52ac

  • SHA1

    6a59764eb30eedb467124854bec7a636a788c943

  • SHA256

    475a71934a9da9e0120b9a922ba1d735243839cd3486640abd178a779a559efb

  • SHA512

    b7d2d0904d627be16974c89801bef6f2749368973d35a50e33ec6df718f78ed07b985bbfd61fbffe2125d204e94690a0f1f517943144a08e677982914842c1f0

  • SSDEEP

    12288:35hHyhFKkQP1HIyPm/aZxMV4wgZ9drBMgrHBxHNG2I+8c8:XiKVze/aL5wgZ3rBvhxHNb8

Score
10/10
guloaderremcosp2-remotehostcollectiondiscoverydownloaderpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

P2-RemoteHost

C2

46.183.222.85:49327

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-OMNE4N

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      quotation.exe

    • Size

      857KB

    • MD5

      35c34e6e68ec3f3abe65247dabaa92ac

    • SHA1

      ea00abbc843585fe658c59c2c5a07b661acb7294

    • SHA256

      ccf730b6af6f95df83d0ef459879ff64acc1aa68e3ec3bc4d721474698ae7c31

    • SHA512

      e7813090fa3486e5b199696a102dc74271f392ff8efec24ef981b56b820a74e2054ac1eae1b59476c935d4e9f9296bebccb5f6d9a96688cf15ad60cae55c61fd

    • SSDEEP

      12288:dV0sKNvgnt/a8gvgNEIDfdw4wuOOU4djLTr8ELDb6sZugTGU6uAAML1iSGLwf4us:dOTN4tUgVwHVILTr8436/V4uVtCNOy

    Score
    10/10
    guloaderremcosp2-remotehostdiscoverydownloaderpersistenceratcollectionspywarestealer

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      b8992e497d57001ddf100f9c397fcef5

    • SHA1

      e26ddf101a2ec5027975d2909306457c6f61cfbd

    • SHA256

      98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

    • SHA512

      8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

    • SSDEEP

      192:PPtkumJX7zB22kGwfy0mtVgkCPOs81un:E702k5qpds8Qn

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks