Overview

overview

10

Static

static

1

Offer 6768YTYBZZZ.exe

windows7-x64

10

Offer 6768YTYBZZZ.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 14:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Offer 6768YTYBZZZ.exe

  • Size

    1.5MB

  • MD5

    9b44e64528cbb8629b1becaf4c1d90d0

  • SHA1

    c32a6e6ad143e9af937fcf9333709f7cde6c473f

  • SHA256

    6fc78cd62ad7070945bd4230c06b2a85cca635b662e3a1bde2aa4f3338f26a26

  • SHA512

    cff1b59c0a0e4b988e2d642843c343d4d17ba6cc854d19777797630bcd04d7cbdbdc1184634f43d793ffe46ad456d4d6d27010c270acc84203c3d3b474f8dc09

  • SSDEEP

    12288:o43UZVZlCpsxerUOtPHKqLRKxP0xfpF+woc/YPnQb+ut8lZBRe71C9SYpDWGyIO4:qIpsxerUOtPHH7xxFk0E39DlyCZthN

Score
10/10
remcosaaaaacollectionrat

Malware Config

Extracted

Family

remcos

Botnet

AAAAA

C2

grantadistciaret.com:3212

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-FWG2GL

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Offer 6768YTYBZZZ.exe
    "C:\Users\Admin\AppData\Local\Temp\Offer 6768YTYBZZZ.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe /stext "C:\Users\Admin\AppData\Local\Temp\hsllaopprdjaqoynaru"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4380
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe /stext "C:\Users\Admin\AppData\Local\Temp\rmqdahainlbfscurkcpiky"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:4092
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe /stext "C:\Users\Admin\AppData\Local\Temp\cowwbzkkbttrdjivbmbcnlela"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2976

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\hsllaopprdjaqoynaru
          Filesize

          4KB

          MD5

          67ebc7f72150d8441093939d8f56109d

          SHA1

          7c242f32e89cbc9b3925abffc02a812657eed188

          SHA256

          2877bf02e12dbebfe8504ba84085c2ccb3d3f5b938090cd1a1f7702c1966cef5

          SHA512

          791253cb1900a79508f144e75569e9855e71958602d532eae31a7c3a8360951fd5e39fec7120ec52e4d5369ce574485122dd6d58705dafa8400843df9d54e258

          Download Submit

        • memory/1172-41-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-47-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-3-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-4-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-5-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-6-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-7-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-8-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-9-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-11-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-51-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-50-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-48-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-37-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1172-46-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-45-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-44-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-43-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1172-2-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-42-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-1-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-0-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/1172-39-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1172-40-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1172-34-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1172-38-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2976-24-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2976-29-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2976-20-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2976-16-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/4092-30-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/4092-22-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/4092-25-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/4092-18-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/4092-13-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/4380-32-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/4380-17-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/4380-23-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/4380-12-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download