Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
23-09-2021 01:28
Static task
static1
Behavioral task
behavioral1
Sample
Waybill.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Waybill.exe
Resource
win10-en-20210920
General
-
Target
Waybill.exe
-
Size
723KB
-
MD5
09b9b6539a59827caae00b06080ad282
-
SHA1
caf0989bf05e05c6a1a71e3b4c8ae10603ef5b76
-
SHA256
dbf0fff8619800b75efb046b9028d1bfca9e7fa079f65a4b83d18773df15f787
-
SHA512
c6abe7020e437a774c4a7d1838f401495af5704378dcef3fa6147c0f3648ef5b4d942c8c9b6f881515017e1ce26094016dcc1825f9e4cf61b7232541c27a0a8f
Malware Config
Extracted
remcos
2.7.2 Pro
RemoteHost
rem1.camdvr.org:2404
rem16.hopto.org:2404
rem1666.hopto.org:2404
rem16.camdvr.org:2404
remmusic.freeddns.org:2404
sunwap1.ddns.net:2404
rem166.hopto.org:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
hjtfjytfcyhnghncghc-O9CPRJ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Waybill.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Furleet = "C:\\Users\\Public\\Libraries\\teelruF.url" Waybill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ieinstal.exepid process 2820 ieinstal.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Waybill.exedescription pid process target process PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe PID 1380 wrote to memory of 2820 1380 Waybill.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Waybill.exe"C:\Users\Admin\AppData\Local\Temp\Waybill.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1380-115-0x0000000000520000-0x000000000066A000-memory.dmpFilesize
1.3MB
-
memory/2820-119-0x0000000000000000-mapping.dmp
-
memory/2820-121-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/2820-120-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/2820-123-0x0000000010540000-0x0000000010563000-memory.dmpFilesize
140KB
-
memory/2820-122-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/2820-124-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB