Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2023, 18:44 UTC

General

  • Target

    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe

  • Size

    7KB

  • MD5

    b359f4af5c88b1e237db9738415b7682

  • SHA1

    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

  • SHA256

    53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

  • SHA512

    6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

  • SSDEEP

    96:xtEsKVeCVIP7bLp8LAn5c8aY1ej/kKV+J2qzNt:xUVVIP7bLrEOejcKYx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

194.180.49.17:28282

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    rdfghfgjkgoighjc.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-PC1DJ2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Detect PureCrypter injector 1 IoCs
  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
    "C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:648
    • C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
      C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
        "C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1504
        • C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
          C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetWindowsHookEx
          PID:1724

Network

  • flag-nl
    GET
    http://194.180.49.17/Vvlhkp.bmp
    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
    Remote address:
    194.180.49.17:80
    Request
    GET /Vvlhkp.bmp HTTP/1.1
    Host: 194.180.49.17
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: image/bmp
    Last-Modified: Fri, 03 Feb 2023 02:52:01 GMT
    Accept-Ranges: bytes
    ETag: "cbc6437d7a37d91:0"
    Server: Microsoft-IIS/10.0
    Date: Fri, 03 Feb 2023 18:44:49 GMT
    Content-Length: 5437440
  • flag-nl
    GET
    http://194.180.49.17/Vvlhkp.bmp
    rdfghfgjkgoighjc.exe
    Remote address:
    194.180.49.17:80
    Request
    GET /Vvlhkp.bmp HTTP/1.1
    Host: 194.180.49.17
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: image/bmp
    Last-Modified: Fri, 03 Feb 2023 02:52:01 GMT
    Accept-Ranges: bytes
    ETag: "cbc6437d7a37d91:0"
    Server: Microsoft-IIS/10.0
    Date: Fri, 03 Feb 2023 18:45:23 GMT
    Content-Length: 5437440
  • flag-us
    DNS
    geoplugin.net
    rdfghfgjkgoighjc.exe
    Remote address:
    8.8.8.8:53
    Request
    geoplugin.net
    IN A
    Response
    geoplugin.net
    IN A
    178.237.33.50
  • flag-nl
    GET
    http://geoplugin.net/json.gp
    rdfghfgjkgoighjc.exe
    Remote address:
    178.237.33.50:80
    Request
    GET /json.gp HTTP/1.1
    Host: geoplugin.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Fri, 03 Feb 2023 20:13:55 GMT
    server: Apache
    content-length: 930
    content-type: application/json; charset=utf-8
    cache-control: public, max-age=300
    access-control-allow-origin: *
  • 194.180.49.17:80
    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
    152 B
    3
  • 194.180.49.17:80
    http://194.180.49.17/Vvlhkp.bmp
    http
    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
    112.7kB
    5.6MB
    2262
    4009

    HTTP Request

    GET http://194.180.49.17/Vvlhkp.bmp

    HTTP Response

    200
  • 194.180.49.17:80
    http://194.180.49.17/Vvlhkp.bmp
    http
    rdfghfgjkgoighjc.exe
    111.3kB
    5.6MB
    2237
    4005

    HTTP Request

    GET http://194.180.49.17/Vvlhkp.bmp

    HTTP Response

    200
  • 194.180.49.17:28282
    tls
    rdfghfgjkgoighjc.exe
    3.0kB
    1.5kB
    12
    13
  • 178.237.33.50:80
    http://geoplugin.net/json.gp
    http
    rdfghfgjkgoighjc.exe
    301 B
    2.4kB
    5
    4

    HTTP Request

    GET http://geoplugin.net/json.gp

    HTTP Response

    200
  • 8.8.8.8:53
    geoplugin.net
    dns
    rdfghfgjkgoighjc.exe
    59 B
    75 B
    1
    1

    DNS Request

    geoplugin.net

    DNS Response

    178.237.33.50

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe

    Filesize

    7KB

    MD5

    b359f4af5c88b1e237db9738415b7682

    SHA1

    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

    SHA256

    53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

    SHA512

    6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

  • C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe

    Filesize

    7KB

    MD5

    b359f4af5c88b1e237db9738415b7682

    SHA1

    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

    SHA256

    53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

    SHA512

    6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

  • C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe

    Filesize

    7KB

    MD5

    b359f4af5c88b1e237db9738415b7682

    SHA1

    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

    SHA256

    53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

    SHA512

    6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    5fec35fdc621e8534c9e3aabe367c39f

    SHA1

    83f4512cf0e642441799753180848ef540eda994

    SHA256

    9231873b893f26e3fcc81f15243db686e6f636e7ec10b22ba4399537bdade3d3

    SHA512

    86350e46768be488e9aa25bfec8102c68f1f47da5b69361e20001a59a6b629858ced02bf81780d0c6151031eb9e0d658abdacb9a1a4087ac1fabc051a79acf83

  • C:\Users\Admin\AppData\Roaming\Zwpfblvosjv\Phecxlkxbf.exe

    Filesize

    7KB

    MD5

    b359f4af5c88b1e237db9738415b7682

    SHA1

    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

    SHA256

    53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

    SHA512

    6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

  • \ProgramData\Remcos\rdfghfgjkgoighjc.exe

    Filesize

    7KB

    MD5

    b359f4af5c88b1e237db9738415b7682

    SHA1

    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

    SHA256

    53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

    SHA512

    6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

  • memory/648-60-0x000000006F550000-0x000000006FAFB000-memory.dmp

    Filesize

    5.7MB

  • memory/648-61-0x000000006F550000-0x000000006FAFB000-memory.dmp

    Filesize

    5.7MB

  • memory/648-59-0x000000006F550000-0x000000006FAFB000-memory.dmp

    Filesize

    5.7MB

  • memory/1080-54-0x00000000008A0000-0x00000000008A8000-memory.dmp

    Filesize

    32KB

  • memory/1080-55-0x0000000076411000-0x0000000076413000-memory.dmp

    Filesize

    8KB

  • memory/1080-56-0x0000000007220000-0x00000000074BE000-memory.dmp

    Filesize

    2.6MB

  • memory/1080-62-0x0000000004D60000-0x0000000004DE0000-memory.dmp

    Filesize

    512KB

  • memory/1304-85-0x00000000001A0000-0x00000000001A8000-memory.dmp

    Filesize

    32KB

  • memory/1504-90-0x000000006F530000-0x000000006FADB000-memory.dmp

    Filesize

    5.7MB

  • memory/1504-91-0x000000006F530000-0x000000006FADB000-memory.dmp

    Filesize

    5.7MB

  • memory/1504-92-0x000000006F530000-0x000000006FADB000-memory.dmp

    Filesize

    5.7MB

  • memory/1632-64-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1632-79-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1632-83-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1632-75-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1632-73-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1632-71-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1632-70-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1632-69-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1632-68-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1632-66-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1632-63-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1724-111-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1724-112-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1724-113-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.