Overview

overview

10

Static

static

10

016153c373...28.exe

windows7-x64

10

016153c373...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 19:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    016153c37340d7dd4d45563208a25928.exe

  • Size

    420KB

  • MD5

    016153c37340d7dd4d45563208a25928

  • SHA1

    591f8da7ede0f741c04ec18348999e7a39e96183

  • SHA256

    f41fc6480ca831a072c88d512b3ca96264c7d8652d30224b2f88465139dc8319

  • SHA512

    bdd7af6d07f38eae6e7500ac6d6d5175889e82a4d515025d6899049b1d56f46196d8a418e2b82a94865c7236a44e78f29af551548810f07fba1b6afce30e830f

  • SSDEEP

    6144:49g5p/aJJL7XJAnY7jioSgBK0Ru115xTcYeEknZJJAVAel:4gUJHX+nOjhBq1j2AWK

Score
10/10
remcosbuddyagilenetpersistencerat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

Buddy

C2

eastsidepapi.myq-see.com:6996

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Buddy.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Buddy-PVO134

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Buddy

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\016153c37340d7dd4d45563208a25928.exe
    "C:\Users\Admin\AppData\Local\Temp\016153c37340d7dd4d45563208a25928.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v progmfil /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\ftermgr.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v progmfil /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\ftermgr.exe"
        3⤵
        • Adds Run key to start application
        PID:4632
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Local\ftermgr.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Users\Admin\AppData\Local\ftermgr.exe
        "C:\Users\Admin\AppData\Local\ftermgr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Users\Admin\AppData\Local\ftermgr.exe
          "C:\Users\Admin\AppData\Local\ftermgr.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3876
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1476
          4⤵
          • Program crash
          PID:1504
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1980 -ip 1980
    1⤵
      PID:3672

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\ftermgr.exe
      Filesize

      93KB

      MD5

      7e398f9078b2f33bda48e36634d49d5b

      SHA1

      ca07f5c07b1472cf017fdc582b9286d2f5c3cc73

      SHA256

      56b7e72a895392d55e3647aec2c7549ac59a42a4580b5c3781158fc7544cc337

      SHA512

      8333259e4b92544d2e7f7a66dc00bf6965060f49bb09979a946591c9e9342ec91ef107b9e020427b248541dbf0d1d1a57594dc2dd443a60109c05a8d0483deaa

      Download Submit
    • C:\Users\Admin\AppData\Local\ftermgr.exe
      Filesize

      97KB

      MD5

      73b727dcb2e1d1b9763874a219821a17

      SHA1

      6245e0ccaff92e8a15064599bc5cefd91d037e39

      SHA256

      3df3e4fa874c92e57a8113e3ff05b8c48ed641a99486864c7e0c5dd2429bc266

      SHA512

      883bffdc611f07c8c9ae4feb7409ecb3d5fa764c9632ca53918b7180bf0d114cc3d199b4fce375fd995f164ae5e42167fc59ce85c61a4ee6566bdf3feab9fe64

      Download Submit
    • C:\Users\Admin\AppData\Local\ftermgr.exe
      Filesize

      420KB

      MD5

      016153c37340d7dd4d45563208a25928

      SHA1

      591f8da7ede0f741c04ec18348999e7a39e96183

      SHA256

      f41fc6480ca831a072c88d512b3ca96264c7d8652d30224b2f88465139dc8319

      SHA512

      bdd7af6d07f38eae6e7500ac6d6d5175889e82a4d515025d6899049b1d56f46196d8a418e2b82a94865c7236a44e78f29af551548810f07fba1b6afce30e830f

      Download Submit
    • memory/316-36-0x00000000066F0000-0x000000000673C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/316-34-0x0000000006190000-0x00000000064E4000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/316-38-0x0000000006B40000-0x0000000006B5A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/316-39-0x0000000007620000-0x0000000007642000-memory.dmp
      Filesize

      136KB

      Download
    • memory/316-37-0x0000000006BB0000-0x0000000006C46000-memory.dmp
      Filesize

      600KB

      Download
    • memory/316-20-0x0000000005820000-0x0000000005E48000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/316-35-0x0000000006650000-0x000000000666E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/316-47-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/316-23-0x0000000005EC0000-0x0000000005F26000-memory.dmp
      Filesize

      408KB

      Download
    • memory/316-24-0x0000000006020000-0x0000000006086000-memory.dmp
      Filesize

      408KB

      Download
    • memory/316-22-0x0000000005690000-0x00000000056B2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/316-19-0x0000000002E10000-0x0000000002E20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/316-16-0x0000000002D30000-0x0000000002D66000-memory.dmp
      Filesize

      216KB

      Download
    • memory/316-18-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/316-21-0x0000000002E10000-0x0000000002E20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1756-12-0x0000000005640000-0x0000000005648000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1756-2-0x0000000004C30000-0x0000000004C46000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1756-13-0x0000000004D10000-0x0000000004D20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1756-1-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1756-11-0x0000000004D10000-0x0000000004D20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1756-10-0x0000000005960000-0x00000000059A4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1756-9-0x0000000004D10000-0x0000000004D20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1756-7-0x00000000055D0000-0x00000000055D8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1756-8-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1756-6-0x00000000054B0000-0x0000000005542000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1756-5-0x0000000005280000-0x0000000005288000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1756-4-0x00000000059C0000-0x0000000005F64000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1756-3-0x0000000004D10000-0x0000000004D20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1756-0-0x00000000002F0000-0x0000000000360000-memory.dmp
      Filesize

      448KB

      Download
    • memory/1756-17-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1980-52-0x0000000001610000-0x0000000001620000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1980-44-0x00000000015B0000-0x00000000015C6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1980-48-0x0000000001610000-0x0000000001620000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1980-49-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1980-50-0x0000000001610000-0x0000000001620000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1980-51-0x0000000005E70000-0x0000000005E7A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1980-46-0x0000000001610000-0x0000000001620000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1980-61-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1980-45-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3876-57-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3876-59-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3876-60-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3876-56-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3876-53-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3876-64-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download