Overview

overview

10

Static

static

10

ff044509cd...7a.exe

windows7-x64

10

ff044509cd...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2023 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff044509cd6eba3681d1f548574b5d7a.exe

  • Size

    420KB

  • MD5

    ff044509cd6eba3681d1f548574b5d7a

  • SHA1

    d83b30d4bf145fcf8053e190ab9a0af0577d4cee

  • SHA256

    e897d756722140b424ac02aab14733d05074d5c40f019c6420bc2689dccd6915

  • SHA512

    ae1bdc80b0cb1be8261a36fd194620b7efd6c391b508f05d5351c9a0b620f3066342ba4a6543821ed9adbb742a29936b925036f321993c3dde151a08cc5af7e0

  • SSDEEP

    6144:d9g5p/aJJL7XJAnY7jioSgBK0Ru115xTcYeEknZJJAVAe3:dgUJHX+nOjhBq1j2AWE

Score
10/10
remcosbuddyagilenetpersistencerat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

Buddy

C2

eastsidepapi.myq-see.com:6996

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Buddy.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Buddy-PVO134

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Buddy

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff044509cd6eba3681d1f548574b5d7a.exe
    "C:\Users\Admin\AppData\Local\Temp\ff044509cd6eba3681d1f548574b5d7a.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v progmfil /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\ftermgr.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v progmfil /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\ftermgr.exe"
        3⤵
        • Adds Run key to start application
        PID:2856
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Local\ftermgr.exe
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Users\Admin\AppData\Local\ftermgr.exe
        "C:\Users\Admin\AppData\Local\ftermgr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Users\Admin\AppData\Local\ftermgr.exe
          "C:\Users\Admin\AppData\Local\ftermgr.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 928
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\ftermgr.exe
    Filesize

    381KB

    MD5

    54998c9f9135e93fe7652b1406a8e42c

    SHA1

    ca9c1ece2f3d80fb9695c29b2836a75c1ac97f55

    SHA256

    9e7ef351a1bf47d4d29bff053417aa326edbb45927b2b265795afa1ae2c2868e

    SHA512

    f62d00137280af04ece48fbfb04b06fd1f3498821f6b0edd408bac81dae4206aadb7716a45e0a56adfa40a7c2fca554c07412cf08f396a46153c60cf6c181b47

    Download Submit
  • C:\Users\Admin\AppData\Local\ftermgr.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • \Users\Admin\AppData\Local\ftermgr.exe
    Filesize

    92KB

    MD5

    46905a67b43f2cd0b34693b625623b61

    SHA1

    a8c118261f55c2c573df9372942797f53eaa11af

    SHA256

    3e5b71f3538b88c927379184a5b9dfe7453acc4ad45333c80c5e0e13ebcefd11

    SHA512

    4899dec3030fcb552467da956420611f78af36202091ba6a4496a99f28013785d0605bf40c29c5d7e634e120a1a064a1a9d363e665e04d61ffe9400d1ab34f7f

    Download Submit
  • memory/1528-27-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1528-30-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1528-38-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1528-41-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1528-34-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1528-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1528-31-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1528-37-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1528-29-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1528-26-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1528-25-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2440-20-0x000000006FB50000-0x000000007023E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2440-21-0x00000000000D0000-0x0000000000140000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2440-24-0x0000000000410000-0x000000000041A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2440-22-0x0000000004940000-0x0000000004980000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2440-23-0x000000006FB50000-0x000000007023E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2744-15-0x0000000002CD0000-0x0000000002D10000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2744-13-0x0000000073B60000-0x000000007410B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2744-14-0x0000000073B60000-0x000000007410B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2744-19-0x0000000073B60000-0x000000007410B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2932-3-0x0000000000590000-0x0000000000598000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2932-0-0x0000000000D10000-0x0000000000D80000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2932-4-0x0000000004BD0000-0x0000000004C10000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2932-5-0x00000000005B0000-0x00000000005B8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2932-10-0x0000000074290000-0x000000007497E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2932-9-0x0000000004BD0000-0x0000000004C10000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2932-7-0x00000000009C0000-0x00000000009C8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2932-6-0x0000000074290000-0x000000007497E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2932-2-0x0000000074290000-0x000000007497E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2932-1-0x0000000000360000-0x0000000000376000-memory.dmp
    Filesize

    88KB

    Download