General
-
Target
4aa54853c4e39405c5280a334c52714ffced26be98dcdd645ec16fb0a2699c4e
-
Size
1.1MB
-
Sample
220712-psnb7adba3
-
MD5
791fb412e1bdc58d44df34e217aa50ae
-
SHA1
0b6547e12d3866d386c5b9396d798d783d4cbb3e
-
SHA256
4aa54853c4e39405c5280a334c52714ffced26be98dcdd645ec16fb0a2699c4e
-
SHA512
50285762e490de0c466fa51c6fe734f1cd2ff1121aaa6633b50b159931e6bc20aaf2b012a75da47117386225b3005b92027fcd9b6a53d90a204d6800bab3c365
Static task
static1
Behavioral task
behavioral1
Sample
Balance_Payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Balance_Payment.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Bank Details.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Bank Details.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
invoice for the payment.jar
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
invoice for the payment.jar
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
1.7 Pro
sales
178.175.138.219:200
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
microsoft
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_yyaopwkkmmuwfrk
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
Balance_Payment.exe
-
Size
426KB
-
MD5
0c126915720c2dfabaa824598a7aa0c6
-
SHA1
777c3fdb4c8f7572687cb107040103e796996849
-
SHA256
4b4df849759c4377308e8126e7baee0bf0384fed2dfe03e9273f7cc9069c5b68
-
SHA512
254bfdcb8465f01d3b321a2c5ef347f41f9c4f2e822fb9d64fc1263aa39c65d7cdbdb62c897ad4057cc6ce103959020eeb8a638c536528a9cf2b94f0935fe18e
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload
-
NirSoft MailPassView
Password recovery tool for various email clients
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-
-
-
Target
Bank Details.exe
-
Size
267KB
-
MD5
af36518f0a97d140dfcd5afbb9740d8a
-
SHA1
3b8c31dcf501d7e93bf6b3e5ffaf1638942cd47c
-
SHA256
93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c
-
SHA512
95cff48acc0e72127f096b0d66d97299433a9a13e4f322195754bd59cef689badf1ec7f447dc3dd25b36cfde665a05c7251c8fa149e0bb5fe3aec97812df9fa8
-
Modifies firewall policy service
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
-
-
Target
invoice for the payment.jar
-
Size
534KB
-
MD5
93d2d92db87d216a310f3e57989f5b71
-
SHA1
c9e87592ad9e35a4042d8f766c537a866a359fd9
-
SHA256
37d20da1d9f4859c04c4f4fa921ef98cec87c7c50e1666c3fe9be5104716b268
-
SHA512
7efd15ef40f5cb46cf905ab96a7d19b114e111b2cf77a0729de5693019242e0c013cc4c846051d14286915dcf52edb22e2fa388dc1119ab1284f1dd3df110880
Score10/10-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Executes dropped EXE
-
Sets file execution options in registry
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Defense Evasion
Bypass User Account Control
1Disabling Security Tools
3Hidden Files and Directories
1Modify Registry
8