Overview

overview

10

Static

static

3

RFQ SY103 ...24.scr

windows7-x64

10

RFQ SY103 ...24.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2024 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ SY103 first order 2024.scr

  • Size

    966KB

  • MD5

    9beaec299e48eb0072fd6e270d8e8cd3

  • SHA1

    a719b69d48a210af3749bccd27b4ad5185c35d8d

  • SHA256

    554b40336bad24df88cbde544cdf20d553d02ce7fee5dab9a82318d7c21471e0

  • SHA512

    d0742bee412db3abdb8ddee99ceaf45721f6c72c2b9044838d755b6e8a51377831177eb087f709efee31dc36871e2e274338734731e3d89519bebfb1e74c0733

  • SSDEEP

    24576:dtHKWYHu2k6ei445zcNjNGbr3SN2jcjR11O7Akmla:7KWYHu2kf745zCa3SN2jcjRuUkK

Score
10/10
remcosbuddycollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

BUDDY

C2

192.210.201.57:52499

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-LMLI87

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
    "C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
      "C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
        "C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr" /stext "C:\Users\Admin\AppData\Local\Temp\uetnbddtiidjlxizefaxb"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:5100
      • C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
        "C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr" /stext "C:\Users\Admin\AppData\Local\Temp\eyygbvnvwqvoodwloqmzmzdk"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:5008
      • C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
        "C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr" /stext "C:\Users\Admin\AppData\Local\Temp\gadqcoypkznbyrkpfbhaxexbveso"
        3⤵
          PID:1088
        • C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
          "C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr" /stext "C:\Users\Admin\AppData\Local\Temp\gadqcoypkznbyrkpfbhaxexbveso"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4288

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      9a04dd0be747940d18ebd4114ae360b1

      SHA1

      1596b4996e999719c9e0ee57c667c5be9d9687e8

      SHA256

      540cf6fe6099022fd156efdc5d92adb1c3f66c23033a2091e7c949646416187e

      SHA512

      423b7c6dc1611fd0a52b7e81fbc3bc8f1a4ca3a444611bb42a6af9b0816c12179e6607d32b6de66167ffe86bed856f80d5f97b581591594f7865000b3aa12b13

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uetnbddtiidjlxizefaxb
      Filesize

      4KB

      MD5

      636c8230de66506aa2bdb3deee259503

      SHA1

      244299ce9ed66e9bed0c458c28fa3c417eeabdee

      SHA256

      98e7ebb0441c43ba079892f7fd1e9c1360d9d0e6d37575e452944fa0b08638d4

      SHA512

      fb5756dc8c9726be7b7629230ca5cf12c59f7d01225b9b73f08953bd02087bef10e1d2cdb6ed717776d683bd5ce523a069a6ab081992839a238056d57fc4eb6e

      Download Submit
    • memory/4032-54-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/4032-53-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/4032-90-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-89-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-81-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-74-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-73-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-66-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-10-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-11-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-13-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-15-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-65-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-17-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-18-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-19-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-21-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-20-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-22-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-24-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-26-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-27-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-61-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-57-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/4032-82-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-55-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/4032-56-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4032-50-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/4288-46-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4288-45-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4288-42-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4288-37-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4288-44-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4656-8-0x0000000006560000-0x0000000006620000-memory.dmp
      Filesize

      768KB

      Download
    • memory/4656-14-0x0000000075220000-0x00000000759D0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4656-2-0x0000000004FF0000-0x0000000005594000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4656-6-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4656-0-0x00000000000B0000-0x00000000001A6000-memory.dmp
      Filesize

      984KB

      Download
    • memory/4656-3-0x0000000004AE0000-0x0000000004B72000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4656-4-0x00000000026E0000-0x00000000026F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4656-5-0x0000000004A80000-0x0000000004A8A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4656-7-0x0000000006080000-0x000000000608C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4656-9-0x0000000008C10000-0x0000000008CAC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4656-1-0x0000000075220000-0x00000000759D0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/5008-36-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/5008-29-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/5008-33-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/5008-43-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/5100-28-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/5100-32-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/5100-48-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/5100-35-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download