Overview

overview

10

Static

static

3

rELITETRADINGLL.exe

windows7-x64

10

rELITETRADINGLL.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-02-2025 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rELITETRADINGLL.exe

  • Size

    930KB

  • MD5

    c730d2226304c997f5cc1124a9cfe6fc

  • SHA1

    79e71e9efb193582619f93287202404d73348088

  • SHA256

    e81747a9ede60d251a5cca15da28963fb84975bcbd4f6ff2bb96558639dfc9e6

  • SHA512

    b19281c8bbe04847bd4000da0569f9c9aa05be60e8b29c12ab116f8fa352d120675db8c165b00315366e13e6a0b5d055c36620f2f51eea300dac80deadd71e68

  • SSDEEP

    24576:FerYnK4TwIld1V20+FDbzUMX5gBb4J4MOqsk3UiFZ:FerYnKRIlHV20+FDbzhX5gOJ8TJiz

Score
10/10
guloaderremcosodg-remotehostdiscoverydownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

odg-RemoteHost

C2

odg01.is-a-landscaper.com:49950

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GN5MV3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Downloads MZ/PE file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rELITETRADINGLL.exe
    "C:\Users\Admin\AppData\Local\Temp\rELITETRADINGLL.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\AppData\Local\Temp\rELITETRADINGLL.exe
      "C:\Users\Admin\AppData\Local\Temp\rELITETRADINGLL.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3160
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjJEOTU0OUMtRUNDMi00MDQzLTg5ODAtMzg3RDE0ODQxNDI5fSIgdXNlcmlkPSJ7M0RERTQyNTItRjYxMC00Q0EzLUExOEItRDM1MDgzM0M0NTg4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RTQ1MDUwN0MtNzA4MC00RjNGLThGQkEtNjA4QTFBRTg4NTI1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDk1NzI4MzU2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Unweaned236\Treehair.exe
    Filesize

    930KB

    MD5

    c730d2226304c997f5cc1124a9cfe6fc

    SHA1

    79e71e9efb193582619f93287202404d73348088

    SHA256

    e81747a9ede60d251a5cca15da28963fb84975bcbd4f6ff2bb96558639dfc9e6

    SHA512

    b19281c8bbe04847bd4000da0569f9c9aa05be60e8b29c12ab116f8fa352d120675db8c165b00315366e13e6a0b5d055c36620f2f51eea300dac80deadd71e68

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsv13D3.tmp\System.dll
    Filesize

    12KB

    MD5

    dd87a973e01c5d9f8e0fcc81a0af7c7a

    SHA1

    c9206ced48d1e5bc648b1d0f54cccc18bf643a14

    SHA256

    7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

    SHA512

    4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

    Download Submit

  • memory/2880-15-0x0000000077B41000-0x0000000077C61000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2880-16-0x0000000077B41000-0x0000000077C61000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2880-17-0x0000000074215000-0x0000000074216000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3160-18-0x0000000001710000-0x0000000005F2F000-memory.dmp

    Filesize

    72.1MB

    Download

  • memory/3160-19-0x0000000077BC8000-0x0000000077BC9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3160-20-0x0000000077B41000-0x0000000077C61000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3160-23-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3160-48-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3160-52-0x0000000001710000-0x0000000005F2F000-memory.dmp

    Filesize

    72.1MB

    Download

  • memory/3160-53-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download