Overview

overview

10

Static

static

3

6432e96629...1b.exe

windows7-x64

10

6432e96629...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2023 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b.exe

  • Size

    145KB

  • MD5

    2ef95efdbedb353a82497ab63aa39067

  • SHA1

    a7784438c0ca3e37d63fc409435f6a5e96f73f41

  • SHA256

    6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b

  • SHA512

    1c053e93ffb29b7ef556e898650e447e8f3c101e5eb491fdd68adebc98434745b69fabf959db3d5fb0993b2be8c06f448d0b031de88024d7a4d37fdcab8dbfad

  • SSDEEP

    3072:X3gonQnBpzMo4JPj5hMVXUgbRZlIwTqeq+3r7E4sf65NiJtmghrOy7BCRIVCNfD0:nDnyMVIZLT

Score
10/10
redlineremcosquoteevasioninfostealerpersistenceratstealertrojan

Malware Config

Extracted

Family

remcos

Botnet

QUOTE

C2

172.93.164.93:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Explorers.exe

  • copy_folder

    Explorers

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-8S6SMR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Explorers

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Detects Redline Stealer samples 2 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b.exe
    "C:\Users\Admin\AppData\Local\Temp\6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mvhddbbjwgdqlpsquote .pdf"
      2⤵
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        3⤵
          PID:2084
      • C:\Users\Admin\AppData\Local\Temp\6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b.exe
        C:\Users\Admin\AppData\Local\Temp\6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b.exe
        2⤵
          PID:1252
        • C:\Users\Admin\AppData\Local\Temp\6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b.exe
          C:\Users\Admin\AppData\Local\Temp\6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b.exe
          2⤵
          • Checks computer location settings
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1280
          • C:\Windows\SysWOW64\cmd.exe
            /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1916
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              4⤵
              • UAC bypass
              • Modifies registry key
              PID:2268
          • C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
            "C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4516
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4356

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        1KB

        MD5

        4280e36a29fa31c01e4d8b2ba726a0d8

        SHA1

        c485c2c9ce0a99747b18d899b71dfa9a64dabe32

        SHA256

        e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

        SHA512

        494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
        Filesize

        53KB

        MD5

        06ad34f9739c5159b4d92d702545bd49

        SHA1

        9152a0d4f153f3f40f7e606be75f81b582ee0c17

        SHA256

        474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

        SHA512

        c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        16KB

        MD5

        0304ee0d45469faffc892bd3664a955c

        SHA1

        313430e3e7368c5161acf422a12f37a9a99058ba

        SHA256

        ed95ff69a22f0206732f01fdad296f4a58c218efdc14ae9b06b094a91b2bb084

        SHA512

        b6f1c505569ca5e1147759b36df3d8b3af064614352b701f820cad2537c75d2da3b85215f84d21adc194cf95f832e1d476f8dc89fbd596ae92cb3913ac4c9329

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Mvhddbbjwgdqlpsquote .pdf
        Filesize

        95KB

        MD5

        b39397d02b8cdafec5e6ea4f98210a76

        SHA1

        44dc7358e5540457d3c2527c45f943ae12024df2

        SHA256

        cbad00d956559d07d590b06652062e43c6e786b3506e3c3fafcda962ea5c59ac

        SHA512

        afbcaca434a99b91ed6abbe83ebd9763c5345febb76f134ee030a63c0768c87a684dbc7063048d8629e62a62b321b44220921a759ffce516a26128e39f1eb22d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_np20kdhm.a2y.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
        Filesize

        145KB

        MD5

        2ef95efdbedb353a82497ab63aa39067

        SHA1

        a7784438c0ca3e37d63fc409435f6a5e96f73f41

        SHA256

        6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b

        SHA512

        1c053e93ffb29b7ef556e898650e447e8f3c101e5eb491fdd68adebc98434745b69fabf959db3d5fb0993b2be8c06f448d0b031de88024d7a4d37fdcab8dbfad

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
        Filesize

        145KB

        MD5

        2ef95efdbedb353a82497ab63aa39067

        SHA1

        a7784438c0ca3e37d63fc409435f6a5e96f73f41

        SHA256

        6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b

        SHA512

        1c053e93ffb29b7ef556e898650e447e8f3c101e5eb491fdd68adebc98434745b69fabf959db3d5fb0993b2be8c06f448d0b031de88024d7a4d37fdcab8dbfad

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
        Filesize

        145KB

        MD5

        2ef95efdbedb353a82497ab63aa39067

        SHA1

        a7784438c0ca3e37d63fc409435f6a5e96f73f41

        SHA256

        6432e96629806652156594eb8c7c5af3cc397dc7b5d871787db5be71ff6cdd1b

        SHA512

        1c053e93ffb29b7ef556e898650e447e8f3c101e5eb491fdd68adebc98434745b69fabf959db3d5fb0993b2be8c06f448d0b031de88024d7a4d37fdcab8dbfad

        Download Submit

      • memory/1280-179-0x0000000000400000-0x0000000000480000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1280-165-0x0000000000400000-0x0000000000480000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1280-167-0x0000000000400000-0x0000000000480000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1280-166-0x0000000000400000-0x0000000000480000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1280-163-0x0000000000400000-0x0000000000480000-memory.dmp

        Filesize

        512KB

        Download

      • memory/4356-197-0x0000000002860000-0x0000000002870000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4356-191-0x0000000002860000-0x0000000002870000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4356-192-0x0000000002860000-0x0000000002870000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4356-196-0x0000000002860000-0x0000000002870000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4440-145-0x0000000005F70000-0x0000000005FD6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4440-139-0x0000000005F00000-0x0000000005F66000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4440-155-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4440-154-0x0000000007C90000-0x000000000830A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4440-153-0x0000000001450000-0x0000000001460000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4440-152-0x0000000006500000-0x000000000651E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4440-151-0x0000000001450000-0x0000000001460000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4440-136-0x0000000003020000-0x0000000003056000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4440-150-0x0000000001450000-0x0000000001460000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4440-137-0x0000000001450000-0x0000000001460000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4440-156-0x0000000001450000-0x0000000001460000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4440-138-0x0000000005760000-0x0000000005D88000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4516-180-0x0000000002E60000-0x0000000002E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4732-133-0x0000000000360000-0x000000000038A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4732-135-0x00000000055D0000-0x00000000055F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4732-134-0x0000000004E10000-0x0000000004E20000-memory.dmp

        Filesize

        64KB

        Download