Overview

overview

10

Static

static

teexture.exe

windows7_x64

10

teexture.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    27-01-2022 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    teexture.exe

  • Size

    1024KB

  • MD5

    484b0fbe9dcf3de6026aa52b3f26aadf

  • SHA1

    53f6c84d89a923127927091d5b0b212845b68f6e

  • SHA256

    9d8522fac577756511fd093a7e4f5fd2732e33764b07237b13b770ae79bb9361

  • SHA512

    f0ddb4d865ae383b697c9899977b25eb811c409c3afaa9f00cc1bd8031b24b28947bb52fc8a0fe43432e72ea3b2ce3d909dde26d1dba16691813b995d75e680a

Score
10/10
remcosff-fgrat

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

FF-FG

C2

issacc.duckdns.org:30288

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    sms-audio

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    medi-re4vgt-R8LRUI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\teexture.exe
    "C:\Users\Admin\AppData\Local\Temp\teexture.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:320
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:960
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\teexture.exe" "C:\Users\Admin\AppData\Local\Temp\texture.exe"
      2⤵
        PID:620
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {82007533-C33B-42AB-8618-FE7BD6A637B4} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Users\Admin\AppData\Local\Temp\texture.exe
        C:\Users\Admin\AppData\Local\Temp\texture.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:1880
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2028
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
              4⤵
              • Creates scheduled task(s)
              PID:1696
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\texture.exe" "C:\Users\Admin\AppData\Local\Temp\texture.exe"
            3⤵
              PID:1924
          • C:\Users\Admin\AppData\Local\Temp\texture.exe
            C:\Users\Admin\AppData\Local\Temp\texture.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            PID:1116
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              3⤵
                PID:1664
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
                3⤵
                  PID:1196
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
                    4⤵
                    • Creates scheduled task(s)
                    PID:1352
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\texture.exe" "C:\Users\Admin\AppData\Local\Temp\texture.exe"
                  3⤵
                    PID:892

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Scheduled Task

              1
              T1053

              Persistence

              Scheduled Task

              1
              T1053

              Privilege Escalation

              Scheduled Task

              1
              T1053

              Defense Evasion

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\texture.exe
                MD5

                484b0fbe9dcf3de6026aa52b3f26aadf

                SHA1

                53f6c84d89a923127927091d5b0b212845b68f6e

                SHA256

                9d8522fac577756511fd093a7e4f5fd2732e33764b07237b13b770ae79bb9361

                SHA512

                f0ddb4d865ae383b697c9899977b25eb811c409c3afaa9f00cc1bd8031b24b28947bb52fc8a0fe43432e72ea3b2ce3d909dde26d1dba16691813b995d75e680a

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\texture.exe
                MD5

                484b0fbe9dcf3de6026aa52b3f26aadf

                SHA1

                53f6c84d89a923127927091d5b0b212845b68f6e

                SHA256

                9d8522fac577756511fd093a7e4f5fd2732e33764b07237b13b770ae79bb9361

                SHA512

                f0ddb4d865ae383b697c9899977b25eb811c409c3afaa9f00cc1bd8031b24b28947bb52fc8a0fe43432e72ea3b2ce3d909dde26d1dba16691813b995d75e680a

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\texture.exe
                MD5

                484b0fbe9dcf3de6026aa52b3f26aadf

                SHA1

                53f6c84d89a923127927091d5b0b212845b68f6e

                SHA256

                9d8522fac577756511fd093a7e4f5fd2732e33764b07237b13b770ae79bb9361

                SHA512

                f0ddb4d865ae383b697c9899977b25eb811c409c3afaa9f00cc1bd8031b24b28947bb52fc8a0fe43432e72ea3b2ce3d909dde26d1dba16691813b995d75e680a

                Download Submit
              • memory/320-67-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/320-70-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/320-60-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/320-61-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/320-62-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/320-63-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/320-64-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/320-65-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/320-66-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/320-59-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/320-69-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/364-73-0x00000000002C0000-0x0000000000350000-memory.dmp
                Filesize

                576KB

                Download
              • memory/364-83-0x0000000001FA0000-0x0000000001FA1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1116-89-0x0000000000C70000-0x0000000000D00000-memory.dmp
                Filesize

                576KB

                Download
              • memory/1116-99-0x00000000048E0000-0x00000000048E1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1648-55-0x0000000000AA0000-0x0000000000B30000-memory.dmp
                Filesize

                576KB

                Download
              • memory/1648-58-0x00000000009D0000-0x00000000009D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1648-57-0x0000000004AF0000-0x0000000004B68000-memory.dmp
                Filesize

                480KB

                Download
              • memory/1648-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1664-103-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download
              • memory/1880-87-0x0000000000400000-0x000000000047B000-memory.dmp
                Filesize

                492KB

                Download