Overview

overview

10

Static

static

3

ungziped_file.exe

windows7-x64

10

ungziped_file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2024 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ungziped_file.exe

  • Size

    2.0MB

  • MD5

    a478422522067fbb67b31099db6668bc

  • SHA1

    749000fbedbc419986a84bd437a5d53c84bd24e6

  • SHA256

    e60532b82799103e53b59fa601e202ede08fe446bd4e7cbf47e5fcbdd332ccc9

  • SHA512

    6f3eddad74ef3ae864c242fc5176a8dbaeb18da09aa1ba9143b96bc89da807c005e1fc25207a9907b91b5cf54275ffb5c5e78a362f6b422e9e1ee2ee049534eb

  • SSDEEP

    24576:bir4EZvZ42XYhAejzefbIWw6BtKjUq4J2Q+2RitBiuHoXMEb8rJ9Mgfmvj9:0W2XiHjzefbSQAPcuIY4mmb9

Score
10/10
remcoszgrat24collectionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

24

C2

162.218.122.24:5707

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-A49MY7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Detect ZGRat V1 34 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
    "C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
      C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
        C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe /stext "C:\Users\Admin\AppData\Local\Temp\rrovdmzbnzokxskpeiiw"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3188
      • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
        C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe /stext "C:\Users\Admin\AppData\Local\Temp\utuoefkubhgpzygtnsvqxzn"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:1960
      • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
        C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe /stext "C:\Users\Admin\AppData\Local\Temp\eozyfxuwppzckfuxwdprilzati"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rrovdmzbnzokxskpeiiw
    Filesize

    4KB

    MD5

    636c8230de66506aa2bdb3deee259503

    SHA1

    244299ce9ed66e9bed0c458c28fa3c417eeabdee

    SHA256

    98e7ebb0441c43ba079892f7fd1e9c1360d9d0e6d37575e452944fa0b08638d4

    SHA512

    fb5756dc8c9726be7b7629230ca5cf12c59f7d01225b9b73f08953bd02087bef10e1d2cdb6ed717776d683bd5ce523a069a6ab081992839a238056d57fc4eb6e

    Download Submit
  • memory/320-952-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/320-991-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/320-990-0x0000000010000000-0x0000000010019000-memory.dmp
    Filesize

    100KB

    Download
  • memory/320-989-0x0000000010000000-0x0000000010019000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1960-971-0x0000000000400000-0x0000000000457000-memory.dmp
    Filesize

    348KB

    Download
  • memory/1960-977-0x0000000000400000-0x0000000000457000-memory.dmp
    Filesize

    348KB

    Download
  • memory/3188-967-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/3188-981-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/4108-978-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/4108-979-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/4980-52-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-36-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-32-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-30-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-28-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-26-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-24-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-38-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-48-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-58-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-56-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-54-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-62-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-64-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-68-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-66-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-60-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-10-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-50-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-46-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-44-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-42-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-40-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-20-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-34-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-22-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-18-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-16-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-14-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-12-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-8-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-5-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-937-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4980-938-0x0000000005B00000-0x0000000005B70000-memory.dmp
    Filesize

    448KB

    Download
  • memory/4980-939-0x0000000005E10000-0x0000000005E5C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4980-941-0x0000000006000000-0x0000000006066000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4980-6-0x00000000059A0000-0x0000000005A71000-memory.dmp
    Filesize

    836KB

    Download
  • memory/4980-4-0x00000000059A0000-0x0000000005A78000-memory.dmp
    Filesize

    864KB

    Download
  • memory/4980-3-0x00000000058C0000-0x0000000005996000-memory.dmp
    Filesize

    856KB

    Download
  • memory/4980-2-0x0000000003440000-0x0000000003450000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4980-0-0x0000000000D10000-0x0000000000F10000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4980-1-0x00000000744E0000-0x0000000074C90000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4980-940-0x0000000005F60000-0x0000000005FF2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4980-942-0x0000000006930000-0x0000000006ED4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4980-943-0x00000000744E0000-0x0000000074C90000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4980-944-0x0000000003440000-0x0000000003450000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4980-950-0x00000000744E0000-0x0000000074C90000-memory.dmp
    Filesize

    7.7MB

    Download