Overview

overview

10

Static

static

3

MonkeModManager.exe

windows7-x64

10

MonkeModManager.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    7s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09/01/2024, 16:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    MonkeModManager.exe

  • Size

    146KB

  • MD5

    81933ce5ca9beb8efb6c431bc6505361

  • SHA1

    7f88cc2b8e40a2f485f9062fc8bba4ac2793c20a

  • SHA256

    ae4803897d99ebbce5ef7bb65155c70aa8496188c769f9b5829aee8d62ec8d82

  • SHA512

    debad62cb7928bafc1aebf84933fe64afe7dfea06ef01588509ec7b4283a4a07eed584f40e28e40c626295c3b357b469397a664e65b90cf04d530531daddd4a8

  • SSDEEP

    1536:z3rY49c1TiyDZESAkt4+UM3upJ7ak5C3kIJfmGY9lToGI7J3z+InbSPqZuBsv032:brYlEkXb+pJWkjbI936aSPqZuE090

Score
10/10
njratremcoshackedhostevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

shall-someone.gl.at.ply.gg:60408

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    vindevs

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_kixjmsbwpikjkoa

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    60

  • startup_value

    Dlscord

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

dead-reviewer.gl.at.ply.gg:60161
Mutex

90319c19387bbc36810cf2f727f01c05

Attributes
  • reg_key

    90319c19387bbc36810cf2f727f01c05

  • splitter

    |'|'|

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
    "C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe
      "C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies WinLogon
      PID:2268
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
          PID:2728
          • C:\Windows\SysWOW64\PING.EXE
            PING 127.0.0.1 -n 2
            4⤵
            • Runs ping.exe
            PID:2680
          • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
            "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
            4⤵
              PID:2516
        • C:\Users\Admin\AppData\Local\Temp\Sczbl.bat
          "C:\Users\Admin\AppData\Local\Temp\Sczbl.bat"
          2⤵
          • Executes dropped EXE
          PID:2832
          • C:\Users\Admin\AppData\Local\Temp\server.exe
            "C:\Users\Admin\AppData\Local\Temp\server.exe"
            3⤵
              PID:2956
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                4⤵
                • Modifies Windows Firewall
                PID:2228
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          1⤵
            PID:2472
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\uninstall.bat" "
              2⤵
                PID:1896

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe
                    Filesize

                    31KB

                    MD5

                    70511857009d49466fc0142897c2e3da

                    SHA1

                    99c1ddef94ee78b88cd187cd3e89e58844485df9

                    SHA256

                    61265241dfd56fd0d597fad87c8f50f72bb6b851787117040404bbce79669bb4

                    SHA512

                    f5fb472adac8299ff53d83a826c273ab7e3dd91ed735f683f672314161411cb23fd80e25ad7b65e07e176b7edd696203384826b5270cd417c2f19b89efaa8b7a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe
                    Filesize

                    14KB

                    MD5

                    9200fc964b0803c4baac4538679ee4c4

                    SHA1

                    bc0e0f2d8df1c7b6609a61175a08e076a23324ee

                    SHA256

                    73f54f5d57a486c511570174ee217647da8554a0900e35997bcb03c7349b4426

                    SHA512

                    69579c2493e7c231335cf9201e0e07fd80548e97db2a94c1f4d201473b808787dacf90134fe41234a3d197ef7393d6b47259c7df9b194e9a5cae8c3f1869ffff

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe
                    Filesize

                    1KB

                    MD5

                    5a42aa7f2d6cd8633cca746f0e74bc57

                    SHA1

                    90af3b9514055992b28722610f35d3503f28d678

                    SHA256

                    5e63b3ce6ad8bf64241ad0b75b241e0b2ec1db83b4d8d2d88389aa3a8e9bf9dd

                    SHA512

                    95eda10757f78f12f25f867d1f47bd5df3424d8de543fd7cbdffe14b9a4ccaf7021d127bcd2c624095c03d4a269f3d59895fa1ba3fffbf640531f29bc9e415c3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Sczbl.bat
                    Filesize

                    1KB

                    MD5

                    ca793a55bc6bf8fc9916bf19f8d2c4e9

                    SHA1

                    94ed1be2f280775a1f5297d68e3f8b301812ffd5

                    SHA256

                    5e2a9c04291362d4cc76bc2be41e788565f2c8bd166b61e180b76020cbf3af43

                    SHA512

                    da1dc50c6d4178ea34755e478fdbcbe7f1050cf75b69f55038d48b50afe56e2131b007407f19dafb1f55b7aa3087bba0c1fd82f861bf0b59a70894114c75412c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\install.bat
                    Filesize

                    99B

                    MD5

                    76c1687d97dfdbcea62ef1490bec5001

                    SHA1

                    5f4d1aeafa7d840cde67b76f97416dd68efd1bed

                    SHA256

                    79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4

                    SHA512

                    da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                    Filesize

                    19KB

                    MD5

                    c2acf4bef17036513c62ea40124333c6

                    SHA1

                    8034af4488df229d1e08977fb5fbb15111503228

                    SHA256

                    588a8f4d9b1ea9209b58acaadf2ec6f605495d6d4daad70958744189fdc4ba65

                    SHA512

                    bd3e522bdcc3e9766b96dc4bb89d8276497a48cf0f7e21f1cd027e50dd412eeaea23a07ee7109b1d7c1732c84c41e2774bd283f6b9195ab9cf1dd14c0cdf1e50

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\server.exe
                    Filesize

                    10KB

                    MD5

                    a4a01c8c34c139ee9c6562fc359a5c59

                    SHA1

                    7abb9c5868b1e4425409f27aba0ad53889ccec17

                    SHA256

                    5e7744eab1d23a0912b7adf8f97a8cc268a796ace816e144581d4a579d4a1d4f

                    SHA512

                    bc5184b0d7b499ee06b0f48e09c23d2be10ff0bd3e8ac5a26ffff46b50dfd8d451a465fd38bca8582344b09e828bafa9a27d0cb37df39c82c2c5929bd07cf60e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\uninstall.bat
                    Filesize

                    202B

                    MD5

                    1a2a2b4920ba8fddac485fcfbec7a1aa

                    SHA1

                    b5b7b32de1afc061f16797e34956dcdc3e11033b

                    SHA256

                    78bbe8f6d45d07e8ad7d701e4b7bb26f14a1c513a44dce44b54781d3667eb62c

                    SHA512

                    6507dcd331eaf565ae583dad8c362db45bf753840af4972d701c88039ef1bf975a82be90d5883c8a3916bc05170076ce33f79dd91a2d9d57293aa3acb3c6158d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\app
                    Filesize

                    4B

                    MD5

                    7a8184d640ef6cdf954a7f10b80dc908

                    SHA1

                    541efc229f03c114a3e8f8413a293947e2578e82

                    SHA256

                    f82cb3b7c58b97a0b99662278b17e1cfb211ac7db5640f116ee2cc78475a1887

                    SHA512

                    cfa2535b3f842bc525b5d07053fd0267bbdea903364965971b472a172395c557d716b3caa5330a80c197331ce6b0fa6c1d3cb9bed4ae290fc4a8190479425659

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
                    Filesize

                    25KB

                    MD5

                    ce8130a325de84cf9368b6ad723da71a

                    SHA1

                    490a5db325ad7649fef5f9b3145a6b8e26466954

                    SHA256

                    271fa72b34f557f9115193b0a9b360262371df92512707c3866c78dcbca4fa7d

                    SHA512

                    d69f6255e5b063efce165a62015501caa241e1fae02b706ef355170d99d0323ffe50641933e1e3b01c3eeb5664b5c64eb804ac2291b8a2575e14d148378743f2

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\server.exe
                    Filesize

                    93KB

                    MD5

                    a2678bbd0eace916ffeb692085da3ce3

                    SHA1

                    4962672978e14a77eddc7992296faa88f68cfc0e

                    SHA256

                    0d1e495ca174082e5f51835d1fab22a9a664e83dd06cbd6670617cbb1c30a456

                    SHA512

                    8f773d8bf5389953d886074f9da65e7114479d05e63f1f60da66db89381e06d5c9e8780d03131d89ffe01c1be5daf5c020fa201ded7048d70c15f9261752d861

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\server.exe
                    Filesize

                    52KB

                    MD5

                    0e65c9a4fafdb2e3f68449fb6cd38ac2

                    SHA1

                    118cb21966f77c4b69ced753a95f14ad534db911

                    SHA256

                    793a9bf896a893384356aa8ee0ec486abfb7bbbfc9e2a461c7dfab25ba94ec22

                    SHA512

                    b99d871674da7f70b2b35947c5aceb9ddae9c54c6b1bfa7d7a3d17ce51effd40287e5ba4c30a7484d08669ba7178107366c4a8c495f7291ec528b8a0e396fc0e

                    Download Submit

                  • \Users\Admin\AppData\Roaming\remcos\remcos.exe
                    Filesize

                    52KB

                    MD5

                    74eb1d86d06d96c71d4dbf7f7720f8ea

                    SHA1

                    f86ea92707a8a0d5256283798ce3847ef74703a3

                    SHA256

                    952008eedd34141bbba424458aca31b63b7d3ba088debeb50c023cd4564e32c2

                    SHA512

                    63534827478946884ba736e33ec6e63dd16a7168e7c49afed04c59b6a6c588184d2ef28250ee020fe4875c32f6b7c64d5159ed69b9ba0ed9d98f8f83febcb63b

                    Download Submit

                  • memory/1620-22-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1620-1-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1620-2-0x000000001B220000-0x000000001B2A0000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/1620-0-0x00000000013C0000-0x00000000013EA000-memory.dmp

                    Filesize

                    168KB

                    Download

                  • memory/2472-39-0x0000000000400000-0x0000000000417000-memory.dmp

                    Filesize

                    92KB

                    Download

                  • memory/2832-50-0x0000000074B90000-0x000000007513B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2832-25-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2832-23-0x0000000074B90000-0x000000007513B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2832-24-0x0000000074B90000-0x000000007513B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2956-56-0x0000000000450000-0x0000000000490000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2956-57-0x0000000074B90000-0x000000007513B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2956-51-0x0000000074B90000-0x000000007513B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2956-93-0x0000000074B90000-0x000000007513B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2956-94-0x0000000000450000-0x0000000000490000-memory.dmp

                    Filesize

                    256KB

                    Download