Overview

overview

10

Static

static

6e8b61223a...fc.exe

windows7_x64

10

6e8b61223a...fc.exe

windows10_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    18-10-2021 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e8b61223a73c3c6f33f628369bcbffc.exe

  • Size

    1.0MB

  • MD5

    6e8b61223a73c3c6f33f628369bcbffc

  • SHA1

    f26a2823cf0682c92883d46bae925e70c9c0fe86

  • SHA256

    127a16f1a19d0ebdacb1177a2365f26aa1abe1cef25518460a2220cc282eea02

  • SHA512

    60590e1952902ce59a72bcffa1b67258d9bad91dfc6a688bd871c35655d64d4707283740527b128c693685ec31f4a1b1fa06ee6fe6f3dfc0cae9d574cc760e9c

Score
10/10
nanocoreremcosnewyearkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

NEWYEAR

C2

cato.fingusti.club:6609

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-VHEUO4

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e8b61223a73c3c6f33f628369bcbffc.exe
    "C:\Users\Admin\AppData\Local\Temp\6e8b61223a73c3c6f33f628369bcbffc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Users\Admin\AppData\Roaming\68965096\jbavorji.pif
      "C:\Users\Admin\AppData\Roaming\68965096\jbavorji.pif" npmdsadlc.eui
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:1480

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\68965096\jbavorji.pif
    MD5

    8e699954f6b5d64683412cc560938507

    SHA1

    8ca6708b0f158eacce3ac28b23c23ed42c168c29

    SHA256

    c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

    SHA512

    13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

    Download Submit

  • C:\Users\Admin\AppData\Roaming\68965096\jbavorji.pif
    MD5

    8e699954f6b5d64683412cc560938507

    SHA1

    8ca6708b0f158eacce3ac28b23c23ed42c168c29

    SHA256

    c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

    SHA512

    13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

    Download Submit

  • C:\Users\Admin\AppData\Roaming\68965096\npmdsadlc.eui
    MD5

    b52f5de7384925ee98df55de4cd697d2

    SHA1

    8c5ebcbc83d06c266ff50d2d9320c0d062b71ead

    SHA256

    ad3371b0d1af4f0db7690c6e8589485b7f21b4af9e4113b4997b3a59e4ab9be9

    SHA512

    0ee056060d0aad44d9449818728fa56993141ddf1e69a159090674907fd51166b3f6c04b01c3aaba4103fef91072944840a323580c6c5468939bb97b1ed5e3c8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\68965096\qude.dat
    MD5

    62b4554c96656a0a03f7f42421e860e2

    SHA1

    d5e713fae72d4787c2e76de6b89b38a6db30152a

    SHA256

    99440a5e2b64920ed6728b4489bccdb1fb25ab3a47179f29a049a3a704b900dc

    SHA512

    c2af1e4586d97547a7b13e4e9103d369af1c89d133e75ee17e0ee87ba96182b29d80566e17fd9788ef11e10b15565ab963485c5d5bae1ea6341da305b36f22dd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\68965096\wanl.kkb
    MD5

    05c913f7f02f50b6b4b7aded6f536f05

    SHA1

    f20f1c27fc6a30df90c924cc2bf85cb09576b1a2

    SHA256

    026a0636bb89b013177c0bfe6030f6a34ab736870661283d563d6513f1bb3da7

    SHA512

    ccd2a4785410289aa39edbb41f214ea4bd23664f6a5c6ffb187af47952f8250e2bb32a8263e61d8ffc8b3a88683a2d8cb69b77f7ddc156b59d55c4c1e279bf08

    Download Submit

  • memory/912-115-0x0000000000000000-mapping.dmp

    Download

  • memory/1480-121-0x0000000000500000-0x0000000000B38000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1480-122-0x0000000000513FA4-mapping.dmp

    Download

  • memory/1480-123-0x0000000000500000-0x0000000000B38000-memory.dmp

    Filesize

    6.2MB

    Download