Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
-
submitted
04-08-2022 12:40
General
-
Target
455043f1dd7882239a50cca55df4fbdf5cc5e04e305c7052346fc38c2aad015e.exe
-
Size
908KB
-
MD5
a839fb289dbb1fcf3930f6a6563bcb72
-
SHA1
340bae0136824ad2c71d5e01ac0dd17dc836c328
-
SHA256
455043f1dd7882239a50cca55df4fbdf5cc5e04e305c7052346fc38c2aad015e
-
SHA512
e61966abe261527fd1d18b2f15036abd00d01181658cb74d785c1c690b33eae4122d3189cfe489970155ba316a2fa8693b245d144c0b5c82632d73e50e7c2cdf
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
RemoteHost
C2
hendersonk1.hopto.org:2404
henderson1.camdvr.org:2404
centplus1.serveftp.com:2404
harrywlike.ddns.net:2404
genekol.nsupdate.info:2404
harrywlike1.ddns.net:2404
hendersonk2022.hopto.org:2404
genekol1.nsupdate.info:2404
generem.camdvr.org:2404
Attributes
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
gsgjdwg-T9YVQ6
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
ModiLoader Second Stage 61 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\455043f1dd7882239a50cca55df4fbdf5cc5e04e305c7052346fc38c2aad015e.exe"C:\Users\Admin\AppData\Local\Temp\455043f1dd7882239a50cca55df4fbdf5cc5e04e305c7052346fc38c2aad015e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Xjbljot.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\XjbljoO.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet session4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 session5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\logagent.exe"C:\Windows\System32\logagent.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\Cdex.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
C:\Users\Public\Libraries\XjbljoO.batFilesize
1KB
MD5df48c09f243ebcc8a165f77a1c2bf889
SHA1455f7db0adcc2a58d006f1630fb0bd55cd868c07
SHA2564ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca
SHA512735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc
-
C:\Users\Public\Libraries\Xjbljot.batFilesize
55B
MD5f1d72164800990d4a41e4995efbf4975
SHA1fb81815d31ce10e787c80b8ef80a2d1e7444b4b5
SHA256b7704d10e3b965c68f09e5f50105a1b8c319b471e659f274bdf1d75dda760589
SHA512d9cad58f95ecccad401815c0b18c710d92e11bd28e943488e8dfdf543bc8a776adcb1cf5a7ee061a8ffd9d1d8048628a737c1ee80b322ce93f0d0e491673ca38
-
memory/2160-206-0x0000000000000000-mapping.dmp
-
memory/2200-203-0x0000000000000000-mapping.dmp
-
memory/3512-201-0x0000000000000000-mapping.dmp
-
memory/3568-205-0x0000000000000000-mapping.dmp
-
memory/4692-239-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-185-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-181-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-182-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-184-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-261-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-186-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-183-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-187-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-188-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-189-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-191-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-190-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-192-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-193-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-194-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-195-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-196-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-197-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-199-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-198-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-200-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-179-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-178-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-176-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-177-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-175-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-174-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-173-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-260-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-259-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-258-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-257-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-256-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-255-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-254-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-253-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-252-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-251-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-248-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-236-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-250-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-180-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-246-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-245-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-244-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-225-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-226-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-228-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-229-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-230-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-227-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-242-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-233-0x0000000050600000-0x000000005068D000-memory.dmpFilesize
564KB
-
memory/4692-234-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-235-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-243-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-237-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-238-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-157-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-240-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4692-241-0x00000000051F0000-0x000000000529E000-memory.dmpFilesize
696KB
-
memory/4904-247-0x0000000050600000-0x000000005068D000-memory.dmpFilesize
564KB
-
memory/4904-232-0x0000000000000000-mapping.dmp
-
memory/4904-262-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/4904-249-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/4968-222-0x0000000007910000-0x000000000791E000-memory.dmpFilesize
56KB
-
memory/4968-213-0x0000000005DE0000-0x0000000005E46000-memory.dmpFilesize
408KB
-
memory/4968-223-0x0000000007A20000-0x0000000007A3A000-memory.dmpFilesize
104KB
-
memory/4968-215-0x0000000007550000-0x0000000007582000-memory.dmpFilesize
200KB
-
memory/4968-218-0x0000000007D30000-0x00000000083AA000-memory.dmpFilesize
6.5MB
-
memory/4968-224-0x0000000007A00000-0x0000000007A08000-memory.dmpFilesize
32KB
-
memory/4968-216-0x000000006D9C0000-0x000000006DA0C000-memory.dmpFilesize
304KB
-
memory/4968-209-0x0000000004F40000-0x0000000004F76000-memory.dmpFilesize
216KB
-
memory/4968-214-0x00000000063E0000-0x00000000063FE000-memory.dmpFilesize
120KB
-
memory/4968-219-0x00000000076E0000-0x00000000076FA000-memory.dmpFilesize
104KB
-
memory/4968-212-0x0000000005D00000-0x0000000005D66000-memory.dmpFilesize
408KB
-
memory/4968-211-0x0000000005530000-0x0000000005552000-memory.dmpFilesize
136KB
-
memory/4968-210-0x00000000056D0000-0x0000000005CF8000-memory.dmpFilesize
6.2MB
-
memory/4968-220-0x0000000007760000-0x000000000776A000-memory.dmpFilesize
40KB
-
memory/4968-208-0x0000000000000000-mapping.dmp
-
memory/4968-221-0x0000000007950000-0x00000000079E6000-memory.dmpFilesize
600KB
-
memory/4968-217-0x0000000007530000-0x000000000754E000-memory.dmpFilesize
120KB