Analysis
-
max time kernel
1486s -
max time network
1500s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
01/03/2024, 15:31
General
-
Target
Swift 19022024.bat
-
Size
2.2MB
-
MD5
6dc5aa35800875f5e06a20da26286f13
-
SHA1
b9fbf17b8a2aeae452050b2f660ef8cff024a433
-
SHA256
db5c362b0b4ec0a9bbc7b2c5a186a22019c82c2a96a7c326fad2e1f095de22db
-
SHA512
a51120e0800a2694ae14267faf667dc5f37be76bf17bcc042931ef8a1f7f8b38237bf12f441ce3eec7eb4aba15428e3ddcbaa2f23a2944b7f8adbe9c9a5649ab
-
SSDEEP
24576:RLM2LFX2P6Qv1hhxfAswo1eoKHMX+mIi8g1CLbGBi3oucj+9OtOT+a0sloBJCpDo:RYQSv1fxfAsJ1eoVuSDW0YXEx
Malware Config
Extracted
remcos
RemoteHost
swjurf.work.gd:9231
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
hgjbhk
-
mouse_option
false
-
mutex
Rmc-BM92FA
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
ModiLoader Second Stage 1 IoCs
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Nirsoft 6 IoCs
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c certutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 32⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 33⤵
-
-
-
C:\Windows\system32\PING.EXEPING -n 3 127.0.0.12⤵
- Runs ping.exe
-
-
C:\Users\Public\pointer.comC:\Users\Public\pointer.com2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\SoxqluztO.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
-
-
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\sc.exesc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc.exe start truesight6⤵
- Launches sc.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\easinvoker.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\ddyzt"4⤵
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\nylrmbai"4⤵
- Accesses Microsoft Outlook accounts
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\qaqcnutkqtt"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 17284⤵
- Program crash
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\RegisterUnlock.vbe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4440 -ip 44401⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428B
MD5b361e668932de2cd060286e4c1680f3c
SHA1952cf3a412843d88e54d9feefa4aa600408cb9f6
SHA256d4b4f0eb7a954af382e933e04a7497ed47a3ff3ea71868c738399a78ac3b16be
SHA51221206570981879b5502f607209e4c9749edfb9c34f9814bfdd3293fd0ce9ae2d72519a6c4601f15e27f2891f7ca3b6163f95cb8343c91a5b4d56894b58b9e669
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
4KB
MD5785e8193007bcd7858b9df41c9d45f89
SHA129b206de05ab075138ca9e0b9fccdddf3c30cdfe
SHA256c8e1912a3328802e98563e32eb053ae3e28249b701054af227e9f1ba6bfe24d9
SHA512a4d6fd586800f27939d8c152e89d2a231dc9fd8466e715dfeba22e2aa0428509095e12e6e66f2cb5e40ff5c998b439dc3f6792e20c179f41ac9cae31ada9d45f
-
Filesize
7KB
MD50d0d24b46d4bb0e4962595d455020d48
SHA148b247c1cb2577b28aabd7dfa999e0642b5dc6de
SHA256f46e0cc2c119a32dd87edf97bfc73d985ee97d2c9dc00274b6b20d641e29deea
SHA512d5a8779e1cfd2a284173ce8a205cacb41fc7c744fa84e55682ac50b327c676ff50f668ecd176e0ab84420d143a8023d8b4590362b223704c55f5b0d7e116ba2c
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
Filesize
115KB
MD5ecb0b0d16112f27c57e4048a02802fd5
SHA1f7d1c76802d3948c55114fc0ea82c928936de944
SHA256ae33f291a6f2011ca147c2b48035743aba3c507dcef86e1fa6acb4dee47cbf43
SHA512a18a6cde621274f42e20b4b897df2df984a8e6d420d65198fd6d4193a3a91b8c3ca6905120ac299acd8758da72654e7a650e872425677763894b11c98f03c421
-
Filesize
1.3MB
MD55e14df714a090c430526a6a3f5ae14a9
SHA19d30febbb7666626c8c3a917aeccdda79d39f18a
SHA256699a27d39fd0baa6dee651adf1995ca6eb168657b41235fd0d2cd74c738a8cac
SHA512d20540378cf8e76b39beff338de024d9e061a1c84ab5ac2a0033b2b76f5d845234016b35fcdcabb03c049d65f279101a9993a145b369591b4821c880efb70e34
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
100KB