Overview

overview

10

Static

static

3

1015SO9421...JC.exe

windows7-x64

10

1015SO9421...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2023, 16:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1015SO9421INVPL7245577630screxe_JC.exe

  • Size

    919KB

  • MD5

    5dd0bedc7f6f9096ca5abf564a7901d9

  • SHA1

    f170d704ec220a6ef1fe6f2c2f0f755909004c00

  • SHA256

    483d7f7379d43c9fb3effb226cb58a443f48105bda3a9a6310a76729d7c1b3bd

  • SHA512

    d231e9247e9e72b0051f15ac7a19da10fe5fb18a6522a49d5da1a3d1ef72e41a0ade3d704e574b57ee6a451c56de7990f25f9e926fa3086298e619c5262b6bcf

  • SSDEEP

    12288:4iM2/jjKqOW4hKAQc8MrmzwiysldDE0Igu95Pecpfj5hsLBpYCptgVkKnNAMYG:lLD40At88EysldD1Igu9xV5hyVtunNS

Score
10/10
remcosremotehostcollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

104.250.180.178:7902

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    MVPL-D815F2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1015SO9421INVPL7245577630screxe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\1015SO9421INVPL7245577630screxe_JC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Users\Admin\AppData\Local\Temp\1015SO9421INVPL7245577630screxe_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\1015SO9421INVPL7245577630screxe_JC.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Users\Admin\AppData\Local\Temp\1015SO9421INVPL7245577630screxe_JC.exe
        C:\Users\Admin\AppData\Local\Temp\1015SO9421INVPL7245577630screxe_JC.exe /stext "C:\Users\Admin\AppData\Local\Temp\dbpxddzzoqplngnjniolnxqelkq"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4704
      • C:\Users\Admin\AppData\Local\Temp\1015SO9421INVPL7245577630screxe_JC.exe
        C:\Users\Admin\AppData\Local\Temp\1015SO9421INVPL7245577630screxe_JC.exe /stext "C:\Users\Admin\AppData\Local\Temp\ovvhwvstkyhqxmjnwtjmybdvuzivye"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:4892
      • C:\Users\Admin\AppData\Local\Temp\1015SO9421INVPL7245577630screxe_JC.exe
        C:\Users\Admin\AppData\Local\Temp\1015SO9421INVPL7245577630screxe_JC.exe /stext "C:\Users\Admin\AppData\Local\Temp\qxaaxoduygzvatxrowwgboxmdgrwzpdsee"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dbpxddzzoqplngnjniolnxqelkq
    Filesize

    4KB

    MD5

    28cfa3f332aaea0dbc2c6b239ae55629

    SHA1

    69508ce857a1b4d2643967fa5438330fc5a919c3

    SHA256

    f53cfdd9e5697f08e83d67f2b7436f116fa6fea044d3a7ac09e9f4257a148e85

    SHA512

    2fdbb194c93111dc5c26df24a7e2d5a0994d05286b4541e09180a2fceb653f86cc6e7a8ed5ad1d1d461a280ab5c015aadbfb4e6c0f98aea6cb78828ffe288e54

    Download Submit

  • memory/2080-61-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-59-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-50-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2080-53-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2080-54-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2080-55-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2080-37-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-56-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2080-57-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-22-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-58-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2080-12-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-13-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-15-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-16-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-18-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-20-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-19-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-60-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-21-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-62-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-23-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-25-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-64-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2080-63-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3456-3-0x0000000005040000-0x00000000050D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3456-1-0x0000000000580000-0x000000000066C000-memory.dmp

    Filesize

    944KB

    Download

  • memory/3456-2-0x0000000005710000-0x0000000005CB4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3456-17-0x00000000748D0000-0x0000000075080000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3456-11-0x000000000A8E0000-0x000000000A97C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3456-7-0x00000000748D0000-0x0000000075080000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3456-9-0x0000000005220000-0x0000000005230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3456-10-0x00000000080F0000-0x00000000081A8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/3456-6-0x0000000005200000-0x0000000005218000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3456-5-0x0000000005100000-0x000000000510A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3456-4-0x0000000005230000-0x0000000005240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3456-8-0x0000000005230000-0x0000000005240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3456-0-0x00000000748D0000-0x0000000075080000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4204-46-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4204-31-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4204-35-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4204-40-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4204-34-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4704-26-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4704-29-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4704-39-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4704-48-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4704-36-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4892-38-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4892-33-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4892-41-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4892-28-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4892-45-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download