Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    27-03-2024 15:33

General

  • Target

    12.exe

  • Size

    275KB

  • MD5

    d08b871274cd8c8e5033e354c55e44bc

  • SHA1

    1ee737ecbe44bf49467b1743a6021df4a581e122

  • SHA256

    e2a5c5c2e695cd3e44db874a2ceee23ec1915574c126f6b2f9c387802bd70e22

  • SHA512

    fdfcdc5f6004d99dee8cff5b184554a347916b1ec9f510e4bcfa05d81c6aeb9bdedcea45104e8ba3c3a38c247d386d45ce84d4e75e102c541488466f5d5ed243

  • SSDEEP

    3072:qs2fzJpw9ouUB4KkCkx5kKn7GLGGKgr/JhnZZoDiuTvORNpe:FG6dKk5HgDJhnZZoDiwvO1

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

laitheliar.duckdns.org:4047

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-JUNJ0J

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Detect ZGRat V1 34 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12.exe
    "C:\Users\Admin\AppData\Local\Temp\12.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Users\Admin\AppData\Local\Temp\12.exe
      "C:\Users\Admin\AppData\Local\Temp\12.exe"
      2⤵
        PID:2320

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/452-0-0x00000000004F0000-0x000000000053C000-memory.dmp

      Filesize

      304KB

    • memory/452-1-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

    • memory/452-2-0x0000000004F40000-0x0000000004F50000-memory.dmp

      Filesize

      64KB

    • memory/452-3-0x0000000005780000-0x00000000059DC000-memory.dmp

      Filesize

      2.4MB

    • memory/452-4-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-5-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-7-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-9-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-15-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-19-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-17-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-13-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-11-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-21-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-23-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-25-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-29-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-33-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-35-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-39-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-41-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-43-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-45-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-49-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-47-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-51-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-53-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-57-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-59-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-55-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-65-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-67-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-63-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-61-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-37-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-31-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-27-0x0000000005780000-0x00000000059D7000-memory.dmp

      Filesize

      2.3MB

    • memory/452-2331-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

    • memory/452-2649-0x0000000004F40000-0x0000000004F50000-memory.dmp

      Filesize

      64KB

    • memory/452-4886-0x0000000005A20000-0x0000000005A21000-memory.dmp

      Filesize

      4KB

    • memory/452-4887-0x0000000005C70000-0x0000000005D0A000-memory.dmp

      Filesize

      616KB

    • memory/452-4888-0x0000000005C10000-0x0000000005C5C000-memory.dmp

      Filesize

      304KB

    • memory/452-4889-0x00000000064C0000-0x0000000006A64000-memory.dmp

      Filesize

      5.6MB

    • memory/452-4890-0x0000000000C60000-0x0000000000CB4000-memory.dmp

      Filesize

      336KB

    • memory/452-4895-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

    • memory/2320-4897-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/2320-4906-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB