Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 06:52
Static task
static1
Behavioral task
behavioral1
Sample
31883190ELECTRICAL.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
31883190ELECTRICAL.exe
Resource
win10v2004-20230220-en
General
-
Target
31883190ELECTRICAL.exe
-
Size
586KB
-
MD5
fe4416331247444c6c57ea58ad78e1ef
-
SHA1
d738112ccfc03f09b5b568e13f34cc02fcd40c73
-
SHA256
ecfc23f618cbfb73fb59ffa9041ef8308eee9cd322c612efcf6e09815eba6851
-
SHA512
3cadbedbe829faf961bba5c06b64f7c494aefc9c18079004b28fdb9f58352e79d041b65846b162789cb651c8a636b413d25101407d966337595dbdc07781cdcb
-
SSDEEP
12288:Vc1TtA2C24kq3x/cxZiDsxJbOcSEcCOkGQUgZLvWAWNCmfsujmZGEQEO:Vk+B24kqF7DsxXLPTXvWHMmUujmTQB
Malware Config
Extracted
remcos
RemoteHost
155.94.136.161:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-EN47F6
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1076-166-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/1076-164-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/1076-161-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2376-169-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2376-162-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2376-178-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
Processes:
resource yara_rule behavioral2/memory/1076-166-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/4804-167-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2376-169-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4804-174-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4804-173-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1076-164-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2376-162-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1076-161-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2376-178-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
31883190ELECTRICAL.exe31883190ELECTRICAL.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 31883190ELECTRICAL.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 31883190ELECTRICAL.exe -
Loads dropped DLL 1 IoCs
Processes:
31883190ELECTRICAL.exepid process 4112 31883190ELECTRICAL.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
31883190ELECTRICAL.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 31883190ELECTRICAL.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
31883190ELECTRICAL.exepid process 3460 31883190ELECTRICAL.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
31883190ELECTRICAL.exe31883190ELECTRICAL.exepid process 4112 31883190ELECTRICAL.exe 3460 31883190ELECTRICAL.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
31883190ELECTRICAL.exe31883190ELECTRICAL.exedescription pid process target process PID 4112 set thread context of 3460 4112 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 set thread context of 2376 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 set thread context of 1076 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 set thread context of 4804 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
31883190ELECTRICAL.exe31883190ELECTRICAL.exepid process 2376 31883190ELECTRICAL.exe 2376 31883190ELECTRICAL.exe 4804 31883190ELECTRICAL.exe 4804 31883190ELECTRICAL.exe 2376 31883190ELECTRICAL.exe 2376 31883190ELECTRICAL.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
31883190ELECTRICAL.exe31883190ELECTRICAL.exepid process 4112 31883190ELECTRICAL.exe 3460 31883190ELECTRICAL.exe 3460 31883190ELECTRICAL.exe 3460 31883190ELECTRICAL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
31883190ELECTRICAL.exedescription pid process Token: SeDebugPrivilege 4804 31883190ELECTRICAL.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
31883190ELECTRICAL.exepid process 3460 31883190ELECTRICAL.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
31883190ELECTRICAL.exe31883190ELECTRICAL.exedescription pid process target process PID 4112 wrote to memory of 3460 4112 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 4112 wrote to memory of 3460 4112 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 4112 wrote to memory of 3460 4112 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 4112 wrote to memory of 3460 4112 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 wrote to memory of 2376 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 wrote to memory of 2376 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 wrote to memory of 2376 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 wrote to memory of 1076 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 wrote to memory of 1076 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 wrote to memory of 1076 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 wrote to memory of 4804 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 wrote to memory of 4804 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 3460 wrote to memory of 4804 3460 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe"C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe"C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exeC:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe /stext "C:\Users\Admin\AppData\Local\Temp\dppoefamupadvkcpbhszja"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exeC:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe /stext "C:\Users\Admin\AppData\Local\Temp\nrdhexkoiysixqqtksmtumssr"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exeC:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe /stext "C:\Users\Admin\AppData\Local\Temp\qlizfpviegkvhemxtdzuxrnbsqman"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
188B
MD52d05da5bd8afca4f205a4e77805497a1
SHA11bed034276342e95c965d49fedf6ac70c03b8104
SHA256f58464c7b31afe486bee38aa8ce7ecd2b1761c18e2a8afd0c4f9adc19477d780
SHA5120e36b5882aece052ddc772dc50b14c5dc396ee548d226a9ac9c21f59f2870f692d619b4752f0d7d900add6d0c8f9ec2546214210c36fc2ba8f0a591acf32f799
-
C:\Users\Admin\AppData\Local\Temp\dppoefamupadvkcpbhszjaFilesize
4KB
MD57e7e8e77a909ae1ac11fb356c3430a5e
SHA1ef6c5ac6efc7104809b00840dd24a8d74e706fd4
SHA256d3e8da27af617990bdfcaef5c3617788a606ba5860967a679fa6d5279772a985
SHA512fe6a8722197e4cd5f61ad7182c66f6cba60ada6ca482c12eefa184fb7cb509362142f1767cb89126bfa8caaa6ed087bfd0287aacbbb56dbaa9bc2245815b1bfb
-
C:\Users\Admin\AppData\Local\Temp\nsa6F79.tmp\System.dllFilesize
11KB
MD517ed1c86bd67e78ade4712be48a7d2bd
SHA11cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA5120cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5
-
memory/1076-161-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1076-164-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1076-166-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1076-159-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1076-156-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2376-154-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2376-169-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2376-178-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2376-158-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2376-162-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/3460-186-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3460-151-0x0000000001660000-0x00000000042B0000-memory.dmpFilesize
44.3MB
-
memory/3460-198-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3460-195-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3460-192-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3460-146-0x0000000001660000-0x00000000042B0000-memory.dmpFilesize
44.3MB
-
memory/3460-147-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3460-145-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3460-189-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3460-152-0x0000000001660000-0x00000000042B0000-memory.dmpFilesize
44.3MB
-
memory/3460-180-0x0000000034EA0000-0x0000000034EB9000-memory.dmpFilesize
100KB
-
memory/3460-185-0x0000000034EA0000-0x0000000034EB9000-memory.dmpFilesize
100KB
-
memory/3460-184-0x0000000034EA0000-0x0000000034EB9000-memory.dmpFilesize
100KB
-
memory/4112-144-0x0000000002A20000-0x0000000005670000-memory.dmpFilesize
44.3MB
-
memory/4112-143-0x0000000002A20000-0x0000000005670000-memory.dmpFilesize
44.3MB
-
memory/4804-167-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4804-160-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4804-165-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4804-173-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4804-174-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB