Overview

overview

10

Static

static

teexture.exe

windows7_x64

10

teexture.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    27-01-2022 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    teexture.exe

  • Size

    1024KB

  • MD5

    484b0fbe9dcf3de6026aa52b3f26aadf

  • SHA1

    53f6c84d89a923127927091d5b0b212845b68f6e

  • SHA256

    9d8522fac577756511fd093a7e4f5fd2732e33764b07237b13b770ae79bb9361

  • SHA512

    f0ddb4d865ae383b697c9899977b25eb811c409c3afaa9f00cc1bd8031b24b28947bb52fc8a0fe43432e72ea3b2ce3d909dde26d1dba16691813b995d75e680a

Score
10/10
remcosff-fgrat

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

FF-FG

C2

issacc.duckdns.org:30288

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    sms-audio

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    medi-re4vgt-R8LRUI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\teexture.exe
    "C:\Users\Admin\AppData\Local\Temp\teexture.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:2892
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:1332
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\teexture.exe" "C:\Users\Admin\AppData\Local\Temp\texture.exe"
      2⤵
        PID:2136
    • C:\Users\Admin\AppData\Local\Temp\texture.exe
      C:\Users\Admin\AppData\Local\Temp\texture.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
          PID:376
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3228
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:2680
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\texture.exe" "C:\Users\Admin\AppData\Local\Temp\texture.exe"
          2⤵
            PID:3324
        • C:\Users\Admin\AppData\Local\Temp\texture.exe
          C:\Users\Admin\AppData\Local\Temp\texture.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3736
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            2⤵
              PID:1784
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2296
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Local\Temp\texture.exe'" /f
                3⤵
                • Creates scheduled task(s)
                PID:2392
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\texture.exe" "C:\Users\Admin\AppData\Local\Temp\texture.exe"
              2⤵
                PID:3244

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\texture.exe.log
              MD5

              807cb75397a3a9fc38e9fb5f8566eb2d

              SHA1

              367e151fab5a5a80e60202d287ae522ea53e2563

              SHA256

              3e5056b73303b361e6b7b52f5edb2ed1a7e9dc2c762bb91d18046f42bc2ffcf3

              SHA512

              49efef0401ba0e0dc0b30bdff5d414da5494e4194c6269da2cb40b1ab7dc53e7858d29d2b9982bf3ee60ebc9638b5ed2b5ddcbb536bcc57729e79fc81f59f13d

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\texture.exe
              MD5

              484b0fbe9dcf3de6026aa52b3f26aadf

              SHA1

              53f6c84d89a923127927091d5b0b212845b68f6e

              SHA256

              9d8522fac577756511fd093a7e4f5fd2732e33764b07237b13b770ae79bb9361

              SHA512

              f0ddb4d865ae383b697c9899977b25eb811c409c3afaa9f00cc1bd8031b24b28947bb52fc8a0fe43432e72ea3b2ce3d909dde26d1dba16691813b995d75e680a

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\texture.exe
              MD5

              484b0fbe9dcf3de6026aa52b3f26aadf

              SHA1

              53f6c84d89a923127927091d5b0b212845b68f6e

              SHA256

              9d8522fac577756511fd093a7e4f5fd2732e33764b07237b13b770ae79bb9361

              SHA512

              f0ddb4d865ae383b697c9899977b25eb811c409c3afaa9f00cc1bd8031b24b28947bb52fc8a0fe43432e72ea3b2ce3d909dde26d1dba16691813b995d75e680a

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\texture.exe
              MD5

              484b0fbe9dcf3de6026aa52b3f26aadf

              SHA1

              53f6c84d89a923127927091d5b0b212845b68f6e

              SHA256

              9d8522fac577756511fd093a7e4f5fd2732e33764b07237b13b770ae79bb9361

              SHA512

              f0ddb4d865ae383b697c9899977b25eb811c409c3afaa9f00cc1bd8031b24b28947bb52fc8a0fe43432e72ea3b2ce3d909dde26d1dba16691813b995d75e680a

              Download Submit
            • memory/376-129-0x0000000000400000-0x000000000047B000-memory.dmp
              Filesize

              492KB

              Download
            • memory/1012-125-0x00000000052D0000-0x00000000052D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1784-136-0x0000000000400000-0x000000000047B000-memory.dmp
              Filesize

              492KB

              Download
            • memory/2776-118-0x0000000004B20000-0x0000000004B21000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2776-115-0x00000000002B0000-0x0000000000340000-memory.dmp
              Filesize

              576KB

              Download
            • memory/2776-117-0x0000000004DE0000-0x0000000004E58000-memory.dmp
              Filesize

              480KB

              Download
            • memory/2776-116-0x0000000005030000-0x000000000552E000-memory.dmp
              Filesize

              5.0MB

              Download
            • memory/2892-122-0x0000000000400000-0x000000000047B000-memory.dmp
              Filesize

              492KB

              Download
            • memory/2892-119-0x0000000000400000-0x000000000047B000-memory.dmp
              Filesize

              492KB

              Download
            • memory/3736-132-0x00000000056D0000-0x0000000005711000-memory.dmp
              Filesize

              260KB

              Download