Overview

overview

10

Static

static

Statement ...21.exe

windows7_x64

10

Statement ...21.exe

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-05-2021 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Statement of Account April-2021.exe

  • Size

    1.4MB

  • MD5

    384e5af70000fb658251d79ddf8e8878

  • SHA1

    a2bafce0284f457eafd3dcbed73adeb84ed762df

  • SHA256

    98e5d25243d03b80cc83c955796c42b39f308f55102a9ec01d0f308e06b4cfa9

  • SHA512

    28ebd09467fa0781dc3c8a33ea24cb642ecfbcd56fd859c74590773147a45861752446501afc83e441d90507509de4b2b707a5e9b96531ae3a0358ed1ec76e9a

Score
10/10
remcosagilenetrat

Malware Config

Extracted

Family

remcos

C2

45.137.22.107:5888

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Statement of Account April-2021.exe
    "C:\Users\Admin\AppData\Local\Temp\Statement of Account April-2021.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    MD5

    54a47f6b5e09a77e61649109c6a08866

    SHA1

    4af001b3c3816b860660cf2de2c0fd3c1dfb4878

    SHA256

    121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

    SHA512

    88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

    Download Submit
  • \Users\Admin\AppData\Local\Temp\svchost.exe
    MD5

    54a47f6b5e09a77e61649109c6a08866

    SHA1

    4af001b3c3816b860660cf2de2c0fd3c1dfb4878

    SHA256

    121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

    SHA512

    88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

    Download Submit
  • memory/1304-60-0x00000000013C0000-0x00000000013C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1304-62-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1304-64-0x0000000001380000-0x00000000013A1000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1304-65-0x0000000004BD1000-0x0000000004BD2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1304-66-0x0000000000A70000-0x0000000000A7B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1304-67-0x0000000000C00000-0x0000000000C01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-69-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1712-70-0x000000000042EEEF-mapping.dmp
    Download
  • memory/1712-72-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1712-73-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download