Overview

overview

10

Static

static

3

af085d32fc...1e.dll

windows7-x64

1

af085d32fc...1e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2024 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af085d32fcd03132b71cad68b7c3f25235d8b8740e46a85f63623e000c28221e.dll

  • Size

    15.1MB

  • MD5

    2f933f7527e61d37807589b9c7b5ae2b

  • SHA1

    20e5bdb644b1c6e23ec02f2b21c863b8b5ab7ea6

  • SHA256

    af085d32fcd03132b71cad68b7c3f25235d8b8740e46a85f63623e000c28221e

  • SHA512

    1bc50117f43a1563b290f302ef19f0a3bd80775c751b32bc15c78e587e21cf440ffaa1e658939338bf95d68677f9ad1f075273c93b7ea7109299c0173f33d560

  • SSDEEP

    196608:xB0ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVs8pTwR:xBzvfaEog+4rdbUTFV3wOw

Score
10/10
hawkeyeremcostutt0acollectionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

tutt0a

C2

peleinufele.kozow.com:32024

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-YRYWDT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\af085d32fcd03132b71cad68b7c3f25235d8b8740e46a85f63623e000c28221e.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\af085d32fcd03132b71cad68b7c3f25235d8b8740e46a85f63623e000c28221e.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4960
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f
          4⤵
          • Adds Run key to start application
          PID:3900
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\SysWOW64\regsvr32.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4780
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\SysWOW64\regsvr32.exe /stext "C:\Users\Admin\AppData\Local\Temp\xjdwmivmumr"
          4⤵
            PID:5032
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\SysWOW64\regsvr32.exe /stext "C:\Users\Admin\AppData\Local\Temp\xjdwmivmumr"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3484
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\SysWOW64\regsvr32.exe /stext "C:\Users\Admin\AppData\Local\Temp\imjonagoqujorx"
            4⤵
            • Accesses Microsoft Outlook accounts
            PID:4000
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\SysWOW64\regsvr32.exe /stext "C:\Users\Admin\AppData\Local\Temp\sgohnlriecbttdqsd"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3848
          • C:\Windows\SysWOW64\dxdiag.exe
            "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
            4⤵
            • Drops file in System32 directory
            • Checks SCSI registry key(s)
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:4300

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
      Filesize

      47KB

      MD5

      5d2064661ba09a92fa0e05844998a47a

      SHA1

      6b4f3de6b9aacb125f6ac89517702726b5eea1ad

      SHA256

      c46881fc123fb9f550e22b5fe7d813941315b142d3b74c4b344f5e02eb8c74ab

      SHA512

      23b85daa782eac8742eb4d21230ae6aa35c563ddac1d1182d640b9f1f463ef18f1258593a38154352852fe46bd10d287e5890b529a3285ec9764500f01b5cf31

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
      Filesize

      84KB

      MD5

      88e4fedb1333c0da4330341343eb4580

      SHA1

      b3dbe7ea5f21f9d7b1316b5f1a7aef17a4640728

      SHA256

      9ee06fba9105f475a95d0ce7b90f1ed4f9a3a90051df6b1dec2da0224b3f86d0

      SHA512

      0656a7149c894b4dbb6aaf8527a064c46dffb7b0c394f87077429ce0e8dee1e23c7c36dae96b3e19a0cf212abfa5764118e89e0d35457380702610b2443352ce

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xjdwmivmumr
      Filesize

      4KB

      MD5

      636c8230de66506aa2bdb3deee259503

      SHA1

      244299ce9ed66e9bed0c458c28fa3c417eeabdee

      SHA256

      98e7ebb0441c43ba079892f7fd1e9c1360d9d0e6d37575e452944fa0b08638d4

      SHA512

      fb5756dc8c9726be7b7629230ca5cf12c59f7d01225b9b73f08953bd02087bef10e1d2cdb6ed717776d683bd5ce523a069a6ab081992839a238056d57fc4eb6e

      Download Submit

    • memory/536-0-0x0000000010000000-0x0000000010F92000-memory.dmp

      Filesize

      15.6MB

      Download

    • memory/536-1-0x0000000010000000-0x0000000010F92000-memory.dmp

      Filesize

      15.6MB

      Download

    • memory/536-4-0x0000000010000000-0x0000000010F92000-memory.dmp

      Filesize

      15.6MB

      Download

    • memory/536-6-0x0000000010000000-0x0000000010F92000-memory.dmp

      Filesize

      15.6MB

      Download

    • memory/3484-28-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3484-50-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3484-37-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3484-31-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3484-43-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3484-42-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3484-40-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3848-45-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3848-39-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3848-35-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3848-41-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4000-44-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4000-36-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4000-34-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4000-29-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4300-69-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4300-78-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4300-79-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4300-75-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4300-77-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4300-67-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4300-68-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4300-73-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4300-76-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4300-74-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4780-20-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-63-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-26-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-25-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-24-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-23-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-21-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-22-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-52-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4780-56-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4780-55-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4780-58-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4780-57-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-59-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-60-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-61-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-62-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-27-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-64-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-65-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-66-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-19-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-17-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-14-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-15-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-12-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-13-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-11-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-10-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-9-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-7-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-5-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-3-0x0000000000AB0000-0x0000000000B32000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4780-98-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download