Overview

overview

10

Static

static

3

Nicht best...01.exe

windows7-x64

10

Nicht best...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/11/2023, 10:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Nicht bestätigt 44301.exe

  • Size

    1.5MB

  • MD5

    dd1e9bbd16698d52fb6501664beabde6

  • SHA1

    d985290853ab46a1d98fa23b33ed003500c71bae

  • SHA256

    ef43e9475ed3cf0420900e7f29345c646978eaf6b9ae749bfe265061dfdc172b

  • SHA512

    f9650ecd6063c7e8a0a24806d30ebc66dea261711241ab2a8eca675949860fc87e3e2ff53c5d4279a7fcd8979405f459e5058b098e5ba5398bfbdb23c34a09fd

  • SSDEEP

    49152:kUKg7X7cHxjXoNXhXcmpQGpk03bFDDIfgNz:kUj7UXoNhXcHq3b2YNz

Score
10/10
remcosremotehostcollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.96.14.18:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-OB0RTV

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 44301.exe
    "C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 44301.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 44301.exe
      "C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 44301.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 44301.exe
        "C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 44301.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fvcwejffk"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3184
      • C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 44301.exe
        "C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 44301.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pphofcpgylan"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:4984
      • C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 44301.exe
        "C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 44301.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ssmzguaamtssvet"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:636
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1432
        3⤵
        • Program crash
        PID:4996
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2976 -ip 2976
    1⤵
      PID:3596

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\fvcwejffk
            Filesize

            4KB

            MD5

            2878d4e5cf3f445259717eef565b653d

            SHA1

            0acce77a54346135628df0ec5e54b808bbd6ff11

            SHA256

            c97718d36d80005338b0f594c21dfdc2d5345fc05b62f381e5052cfe836595ae

            SHA512

            016e2cb00529273ca7022fe095861877b61fded3b9713d32765d55d621218dba5ace20ca2122cf5b012777a0ffe4edf8709c9f68490d104d6c79ea458036105d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsvA00B.tmp\System.dll
            Filesize

            11KB

            MD5

            75ed96254fbf894e42058062b4b4f0d1

            SHA1

            996503f1383b49021eb3427bc28d13b5bbd11977

            SHA256

            a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

            SHA512

            58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

            Download Submit

          • memory/636-49-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/636-36-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/636-50-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/636-46-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2560-19-0x00000000775E1000-0x0000000077701000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2560-20-0x0000000074230000-0x0000000074236000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2976-57-0x00000000362D0000-0x00000000362E9000-memory.dmp

            Filesize

            100KB

            Download

          • memory/2976-27-0x00000000004B0000-0x00000000056AB000-memory.dmp

            Filesize

            82.0MB

            Download

          • memory/2976-64-0x00000000362D0000-0x00000000362E9000-memory.dmp

            Filesize

            100KB

            Download

          • memory/2976-61-0x00000000004B0000-0x00000000056AB000-memory.dmp

            Filesize

            82.0MB

            Download

          • memory/2976-62-0x0000000072FD0000-0x0000000074224000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/2976-22-0x0000000077685000-0x0000000077686000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2976-21-0x0000000077668000-0x0000000077669000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2976-60-0x00000000362D0000-0x00000000362E9000-memory.dmp

            Filesize

            100KB

            Download

          • memory/2976-23-0x0000000072FD0000-0x0000000074224000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/2976-37-0x00000000775E1000-0x0000000077701000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3184-35-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/3184-40-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/3184-54-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/3184-32-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/3184-29-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/4984-45-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/4984-38-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/4984-30-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/4984-34-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download