Overview

overview

10

Static

static

3

10012024_1...em.exe

windows7-x64

10

10012024_1...em.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    178s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2024, 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10012024_1753_gbrem.exe

  • Size

    15.6MB

  • MD5

    b6a22c3dfc954914f051aa33d2e2af1a

  • SHA1

    18a53be63f02b68b9772a892816f83a6d97a1789

  • SHA256

    564d742044e5ac9f6279c01c5c29bb801606b63c6c2cbfc2af09d8f2a73b84a6

  • SHA512

    4dad54e04a99cdfbe473813647bb95e4410964b3fde126faca497f27ca8bcbcbd81f41129716af6a948a131282b6bde003b172b4cdcc33825d53c3144509a23f

  • SSDEEP

    393216:XsMcUFlcXXZKTMlViqmu0k4nj8AcVwecyccnauSbb1LcVm:8pnZKTMlgfkMXcVMyouSbbK

Score
10/10
remcosdvgrat

Malware Config

Extracted

Family

remcos

Botnet

dvg

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    word.exe

  • copy_folder

    DVG

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    dgvsv-Z4Y1VB

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10012024_1753_gbrem.exe
    "C:\Users\Admin\AppData\Local\Temp\10012024_1753_gbrem.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Users\Admin\AppData\Local\Temp\10012024_1753_gbrem.exe
      "C:\Users\Admin\AppData\Local\Temp\10012024_1753_gbrem.exe"
      2⤵
        PID:3692
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3692 -ip 3692
      1⤵
        PID:4040

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3692-6-0x0000000001600000-0x0000000001682000-memory.dmp

        Filesize

        520KB

        Download

      • memory/3692-11-0x0000000001600000-0x0000000001682000-memory.dmp

        Filesize

        520KB

        Download

      • memory/3692-18-0x0000000001600000-0x0000000001682000-memory.dmp

        Filesize

        520KB

        Download

      • memory/3720-0-0x0000000075030000-0x00000000757E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3720-1-0x00000000002A0000-0x000000000124C000-memory.dmp

        Filesize

        15.7MB

        Download

      • memory/3720-2-0x0000000075030000-0x00000000757E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3720-3-0x0000000006330000-0x00000000068D4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3720-4-0x0000000005D70000-0x0000000005D80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3720-5-0x0000000005D70000-0x0000000005D80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3720-17-0x0000000075030000-0x00000000757E0000-memory.dmp

        Filesize

        7.7MB

        Download