Overview

overview

10

Static

static

10

a2b750b127...6c.exe

windows7-x64

10

a2b750b127...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/08/2023, 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe

  • Size

    232KB

  • MD5

    4cc8305c3872eece74306734857cbe6c

  • SHA1

    5a37e53e9b9848a08b9d141969f1479d7358845d

  • SHA256

    a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c

  • SHA512

    90631422dc22099872f6b246b750c7a69256129ae29e6cb726c5a15ac189f045ff7d331ce80a2f0aa0b2c4a2aaf175f377ec8b3d45d0bc7d5fbdcddc23d6c0f9

  • SSDEEP

    6144:avGSN9gWuLpcBKnVBYAsmrzpyDfOXXV1BYj:avbGWulcBKV3uOXKj

Score
10/10
remcoswytaugustratspywarestealerupx

Malware Config

Extracted

Family

remcos

Botnet

wytAUgust

C2

exbanebiec.duckdns.org:9596

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-SDMP35

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
    "C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
      C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe /stext "C:\Users\Admin\AppData\Local\Temp\becbqejjkc"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4016
    • C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
      C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe /stext "C:\Users\Admin\AppData\Local\Temp\dgpujwudykpdf"
      2⤵
        PID:2040
      • C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
        C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe /stext "C:\Users\Admin\AppData\Local\Temp\obunjpffmshipyql"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4236

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      52061a75d20c0829a0bc5adf1dc2f19d

      SHA1

      9646d76068c0c8a1281eccb76e27b7f835d40481

      SHA256

      41ac485cfcedc8d8aa3bc51b7e768dab291f740d390e586ecb07a56a577e45e9

      SHA512

      c7254475b6b6a0b85ce64ae1ac5fa3fbbf15538b9123031429cd2d1ddf2d976360e3a8297a2fe591037210b5c14ade19763baf084fd256e65614add2174d2164

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\becbqejjkc
      Filesize

      4KB

      MD5

      3a76b7ef67ef3e8e1f6224d8d1dfd6f6

      SHA1

      91ab70d5235504d9382187d324d105e0ec9f18b6

      SHA256

      b4e6c48d47450b4a7860837a4af913ea8d8080ae0f34b8328388c209181592cf

      SHA512

      6040e0c4cb75632c8b131e6d130e8a5b8e265502500648bcd0af2919c1cbcafe0d0967e0141ab3768f8e1d6b3579914a20374139cd51065214da93753f07e0c3

      Download Submit

    • memory/2040-155-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2040-137-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2040-140-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2040-145-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/4016-135-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4016-138-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4016-143-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4016-159-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4016-158-0x0000000000480000-0x0000000000549000-memory.dmp

      Filesize

      804KB

      Download

    • memory/4236-141-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4236-156-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4236-152-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4236-150-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4704-165-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4704-179-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-164-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4704-166-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-168-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-170-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4704-172-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-161-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4704-175-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-133-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-182-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-185-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-188-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-191-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-193-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-196-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-199-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-205-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4704-208-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download