Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-es -
resource tags
arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
27-03-2024 15:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
12.exe
Resource
win7-20240221-es
5 signatures
120 seconds
Behavioral task
behavioral2
Sample
12.exe
Resource
win10v2004-20240226-es
6 signatures
120 seconds
General
-
Target
12.exe
-
Size
275KB
-
MD5
d08b871274cd8c8e5033e354c55e44bc
-
SHA1
1ee737ecbe44bf49467b1743a6021df4a581e122
-
SHA256
e2a5c5c2e695cd3e44db874a2ceee23ec1915574c126f6b2f9c387802bd70e22
-
SHA512
fdfcdc5f6004d99dee8cff5b184554a347916b1ec9f510e4bcfa05d81c6aeb9bdedcea45104e8ba3c3a38c247d386d45ce84d4e75e102c541488466f5d5ed243
-
SSDEEP
3072:qs2fzJpw9ouUB4KkCkx5kKn7GLGGKgr/JhnZZoDiuTvORNpe:FG6dKk5HgDJhnZZoDiwvO1
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
RemoteHost
C2
laitheliar.duckdns.org:4047
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-JUNJ0J
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral2/memory/452-3-0x0000000005780000-0x00000000059DC000-memory.dmp family_zgrat_v1 behavioral2/memory/452-4-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-5-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-7-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-9-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-15-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-19-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-17-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-13-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-11-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-21-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-23-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-25-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-29-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-33-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-35-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-39-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-41-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-43-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-45-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-49-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-47-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-51-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-53-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-57-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-59-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-55-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-65-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-67-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-63-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-61-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-37-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-31-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 behavioral2/memory/452-27-0x0000000005780000-0x00000000059D7000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 452 set thread context of 2320 452 12.exe 103 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 452 12.exe Token: SeDebugPrivilege 452 12.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 452 wrote to memory of 2320 452 12.exe 103 PID 452 wrote to memory of 2320 452 12.exe 103 PID 452 wrote to memory of 2320 452 12.exe 103 PID 452 wrote to memory of 2320 452 12.exe 103 PID 452 wrote to memory of 2320 452 12.exe 103 PID 452 wrote to memory of 2320 452 12.exe 103 PID 452 wrote to memory of 2320 452 12.exe 103 PID 452 wrote to memory of 2320 452 12.exe 103 PID 452 wrote to memory of 2320 452 12.exe 103 PID 452 wrote to memory of 2320 452 12.exe 103 PID 452 wrote to memory of 2320 452 12.exe 103 PID 452 wrote to memory of 2320 452 12.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\12.exe"C:\Users\Admin\AppData\Local\Temp\12.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Local\Temp\12.exe"C:\Users\Admin\AppData\Local\Temp\12.exe"2⤵PID:2320
-