Overview

overview

10

Static

static

Lists.exe

windows7_x64

10

Lists.exe

windows10_x64

10

Resubmissions

25-06-2021 19:00

210625-l7qmjgnpce 10

19-01-2021 19:24

210119-ghpg62s8zx 10

18-01-2021 18:42

210118-qjpbmwpaks 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Lists.exe

  • Size

    799KB

  • Sample

    210118-qjpbmwpaks

  • MD5

    c715a5419ed1ece6e2051e35d3674cc3

  • SHA1

    98e8a74c315b42b88e73129108d5ad338c888124

  • SHA256

    c363769d3d6ae833d71203a5a678ad04349404eae3788865fcdb706c3c7543b0

  • SHA512

    1cbec375fff5500f8247c4be30b6aa15de47ab73b7d914036c76b05ca9db6eb89aad21f1d45fe955c068a8df94393d34a1b88c2fc159340b72759c0dfa93983d

Score
10/10
hawkeyeremcoskeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

remcos

C2

185.140.53.136:1818

Targets

    • Target

      Lists.exe

    • Size

      799KB

    • MD5

      c715a5419ed1ece6e2051e35d3674cc3

    • SHA1

      98e8a74c315b42b88e73129108d5ad338c888124

    • SHA256

      c363769d3d6ae833d71203a5a678ad04349404eae3788865fcdb706c3c7543b0

    • SHA512

      1cbec375fff5500f8247c4be30b6aa15de47ab73b7d914036c76b05ca9db6eb89aad21f1d45fe955c068a8df94393d34a1b88c2fc159340b72759c0dfa93983d

    Score
    10/10
    remcospersistencerathawkeyekeyloggerspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks