Overview

overview

10

Static

static

3

skihejsene.exe

windows7-x64

10

skihejsene.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2023 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    skihejsene.exe

  • Size

    426KB

  • MD5

    3d5c45dfc5e4d5e92519baaa10eef55e

  • SHA1

    4060970106372cca520182bd6767a372cb1d8881

  • SHA256

    0b503c9f8f6f4879b48c019d31ac921f11d62ab469aa0fce0ac309aca525cde2

  • SHA512

    a02be1e1b1e3ad70208b781ce6f42e7d61ce275f7330acc834832831a1e7abdb89b06907fe39622649ab1dfa61a6631d147c36b14c7aeaa4dfaf1b671b5a3c8e

  • SSDEEP

    12288:oSZkNErxea4TdsqFodI6Ck45qnHY4XfoYX:VZ6Eroa4vFNIPb

Score
10/10
guloaderremcosremotehostdownloaderratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.223.132:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-JJJLWY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\skihejsene.exe
    "C:\Users\Admin\AppData\Local\Temp\skihejsene.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\skihejsene.exe
      "C:\Users\Admin\AppData\Local\Temp\skihejsene.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Users\Admin\AppData\Local\Temp\skihejsene.exe
        C:\Users\Admin\AppData\Local\Temp\skihejsene.exe /stext "C:\Users\Admin\AppData\Local\Temp\uumncenbiiiqzjacjoyrwvyhta"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1176
      • C:\Users\Admin\AppData\Local\Temp\skihejsene.exe
        C:\Users\Admin\AppData\Local\Temp\skihejsene.exe /stext "C:\Users\Admin\AppData\Local\Temp\eosfdwyuwqavkqwgsylshzkyugxii"
        3⤵
          PID:1468
        • C:\Users\Admin\AppData\Local\Temp\skihejsene.exe
          C:\Users\Admin\AppData\Local\Temp\skihejsene.exe /stext "C:\Users\Admin\AppData\Local\Temp\gixqepiwrysameksbjfmjmfhdngrjiff"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1520

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      170B

      MD5

      e046f662848ce179c7f890fed3cc3691

      SHA1

      eca30063e28060d980721db56cfd35fb06780653

      SHA256

      bdfcb8043bb972756ac8c2699b4aad6ceabade35b354e161827672878532b5e0

      SHA512

      cb1c7f2e61809303eab18c22216a1b11edbc540a76706641668fd89ed1031c87ce2873025648025abb3bd505a8c04708c1a092b39e6ce6ea08d863f460af7562

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uumncenbiiiqzjacjoyrwvyhta
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit
    • C:\Windows\Fonts\Superdatamat18.ini
      Filesize

      42B

      MD5

      0efb517a38bad656ca0827dbef67154b

      SHA1

      96c246f8d332e42f17ec5d63f73f319fe0c5fa8a

      SHA256

      2a51482adc1ee0a79bff2a3f5ac2e9e300478856ae83d129aceed76f0354926c

      SHA512

      ecea23873e00adbcd2a0a839a6aaaee20bdfc5c72cd22b560564f8e894845a1c840d4d85643f0a3e09a054018273816c4b5d8a41828e3d9a324590d7293e9227

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsj4B74.tmp\System.dll
      Filesize

      11KB

      MD5

      375e8a08471dc6f85f3828488b1147b3

      SHA1

      1941484ac710fc301a7d31d6f1345e32a21546af

      SHA256

      4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

      SHA512

      5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

      Download Submit
    • memory/1136-17103-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/1136-17102-0x0000000001470000-0x0000000003504000-memory.dmp
      Filesize

      32.6MB

      Download
    • memory/1136-17101-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/1136-17104-0x0000000001470000-0x0000000003504000-memory.dmp
      Filesize

      32.6MB

      Download
    • memory/1136-17105-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/1136-17111-0x0000000001470000-0x0000000003504000-memory.dmp
      Filesize

      32.6MB

      Download
    • memory/1136-17114-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/1136-17118-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/1136-17146-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/1176-17124-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1176-17141-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1176-17121-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1176-17126-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1176-17129-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1468-17131-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1468-17127-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1468-17123-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1468-17144-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1520-17128-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1520-17133-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1520-17134-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1520-17135-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1556-17100-0x0000000003B60000-0x0000000005BF4000-memory.dmp
      Filesize

      32.6MB

      Download
    • memory/1556-17099-0x0000000003B60000-0x0000000005BF4000-memory.dmp
      Filesize

      32.6MB

      Download