Overview

overview

10

Static

static

Waybill.exe

windows7_x64

6

Waybill.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    23-09-2021 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Waybill.exe

  • Size

    723KB

  • MD5

    09b9b6539a59827caae00b06080ad282

  • SHA1

    caf0989bf05e05c6a1a71e3b4c8ae10603ef5b76

  • SHA256

    dbf0fff8619800b75efb046b9028d1bfca9e7fa079f65a4b83d18773df15f787

  • SHA512

    c6abe7020e437a774c4a7d1838f401495af5704378dcef3fa6147c0f3648ef5b4d942c8c9b6f881515017e1ce26094016dcc1825f9e4cf61b7232541c27a0a8f

Score
10/10
modiloaderremcosremotehostpersistencerattrojan

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

RemoteHost

C2

rem1.camdvr.org:2404

rem16.hopto.org:2404

rem1666.hopto.org:2404

rem16.camdvr.org:2404

remmusic.freeddns.org:2404

sunwap1.ddns.net:2404

rem166.hopto.org:2404
Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    hjtfjytfcyhnghncghc-O9CPRJ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Waybill.exe
    "C:\Users\Admin\AppData\Local\Temp\Waybill.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1380-115-0x0000000000520000-0x000000000066A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2820-119-0x0000000000000000-mapping.dmp
    Download
  • memory/2820-121-0x0000000000C70000-0x0000000000C71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2820-120-0x00000000009B0000-0x00000000009B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2820-123-0x0000000010540000-0x0000000010563000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2820-122-0x0000000000C10000-0x0000000000C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2820-124-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download