Overview

overview

10

Static

static

3

payeeAdvic...df.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    payeeAdviceDated07-April-2025_pdf.exe

  • Size

    583KB

  • Sample

    250406-3zns7assf1

  • MD5

    eca2ccd75638470aa004394ba0ce7556

  • SHA1

    2c38dd2e0a3dae6b40fb5381b8cbe6a9375271ff

  • SHA256

    a31907ef7aa827efdcfc036f0c4640b6a6bbfdd1e0f6a3a63056ce6c0d73c3b6

  • SHA512

    1589c1ef56aff417ecb254b3f0b9aa33cd6f846c34e7b6628c017a16b4c1d59833b17c009086351005f2a47becc68c4a18a9c6faccdcc7c88d6dadb2fad590ec

  • SSDEEP

    12288:ctoOoZHdIAQR5HyY2Q5XjxjLGYknelYJArEhpLBC/nlVUAV2M3j9RXRnX2o7:NOojcL2Q5Xj1LvkneqJ+4BC/lZV20HXn

Score
10/10
guloaderremcosremotehostdiscoverydownloaderpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

196.251.86.105:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-MJDICZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      payeeAdviceDated07-April-2025_pdf.exe

    • Size

      583KB

    • MD5

      eca2ccd75638470aa004394ba0ce7556

    • SHA1

      2c38dd2e0a3dae6b40fb5381b8cbe6a9375271ff

    • SHA256

      a31907ef7aa827efdcfc036f0c4640b6a6bbfdd1e0f6a3a63056ce6c0d73c3b6

    • SHA512

      1589c1ef56aff417ecb254b3f0b9aa33cd6f846c34e7b6628c017a16b4c1d59833b17c009086351005f2a47becc68c4a18a9c6faccdcc7c88d6dadb2fad590ec

    • SSDEEP

      12288:ctoOoZHdIAQR5HyY2Q5XjxjLGYknelYJArEhpLBC/nlVUAV2M3j9RXRnX2o7:NOojcL2Q5Xj1LvkneqJ+4BC/lZV20HXn

    Score
    10/10
    guloaderremcosremotehostdiscoverydownloaderpersistencerat

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      ca332bb753b0775d5e806e236ddcec55

    • SHA1

      f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

    • SHA256

      df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

    • SHA512

      2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

    • SSDEEP

      192:eo24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol6Sl:k8QIl975eXqlWBrz7YLOl6

    Score
    3/10
    discovery
    behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.