Overview

overview

10

Static

static

3

DHL AWB an...cr.exe

windows7-x64

10

DHL AWB an...cr.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 19:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL AWB and INV.scr.exe

  • Size

    712KB

  • MD5

    e3e28e486e93c0b27fe0453b9e038cb9

  • SHA1

    08335cf5d72c462460627f02dc20773605d09e54

  • SHA256

    7e485dc6c635c50959ccc4b529a1e8b039eca2c9b1a505c782430c48e9ad16c4

  • SHA512

    eb9bf2827836a97b7cd439e9ec834e7a53e56655027b94ebaa4e8ad4de639871e65061f01f9626df3cb936f80be2cd1b316706a1aa2b2625ead6c74036efd147

  • SSDEEP

    12288:LR3BUI4nAZlVqi3Zd9WAp7LE5/Bs+jqP4ARxlXzd46l0xFXc3gIwEL:V3GI4kVfZdsAC/Fo11nl0Pg73L

Score
10/10
guloaderremcoshost-2discoverydownloaderrat

Malware Config

Extracted

Family

remcos

Botnet

Host-2

C2

176.65.142.14:6060

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-HM3EZ8

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL AWB and INV.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL AWB and INV.scr.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\DHL AWB and INV.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL AWB and INV.scr.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsg563F.tmp\System.dll
    Filesize

    11KB

    MD5

    a436db0c473a087eb61ff5c53c34ba27

    SHA1

    65ea67e424e75f5065132b539c8b2eda88aa0506

    SHA256

    75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

    SHA512

    908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

    Download Submit

  • memory/2144-38-0x00000000016E0000-0x0000000006124000-memory.dmp

    Filesize

    74.3MB

    Download

  • memory/2144-41-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-20-0x00000000016E0000-0x0000000006124000-memory.dmp

    Filesize

    74.3MB

    Download

  • memory/2144-21-0x0000000077991000-0x0000000077AB1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2144-22-0x0000000077A18000-0x0000000077A19000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2144-23-0x0000000077A35000-0x0000000077A36000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2144-33-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-39-0x0000000077991000-0x0000000077AB1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2144-34-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-42-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-51-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-40-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-50-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-43-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-44-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-45-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-46-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-47-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-48-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2144-49-0x0000000000480000-0x00000000016D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2396-18-0x0000000077991000-0x0000000077AB1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2396-19-0x0000000010004000-0x0000000010005000-memory.dmp

    Filesize

    4KB

    Download