Overview

overview

10

Static

static

3

f2fe3aa0d2...8e.exe

windows7-x64

10

f2fe3aa0d2...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 13:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2fe3aa0d244d7f17610042ee41aaa3eff40b1a349b43f317ff92f6ec5b7608e.exe

  • Size

    989KB

  • MD5

    5d4a1543df1e7ee3ec6393b7f2e9435c

  • SHA1

    f57d0fbb8a3c5f96486b87bfeb56c9ee140faca9

  • SHA256

    f2fe3aa0d244d7f17610042ee41aaa3eff40b1a349b43f317ff92f6ec5b7608e

  • SHA512

    7e56907cc86e423bab6bc02661ca8ba7787ed5fe412a226a326a97ed115c3b9da03f2ef6ec603fcb6f2b561be31487ec252d337c68791079b0ffe85e03312e78

  • SSDEEP

    12288:ppahc5Gs5eiBq7rdlsOkbSFRUx4rbFY4Qo/g7bmGhiqZr8JqkOMbpceiLz1dl:pZci87Hs5bRkQommGQKJWpBiZ

Score
10/10
remcosadmepcrat

Malware Config

Extracted

Family

remcos

Botnet

Admepc

C2

darkotemplar.sytes.net:1999

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    admepc.exe

  • copy_folder

    Admepc

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    admepc

  • mouse_option

    false

  • mutex

    Rmc-SETMPC

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2fe3aa0d244d7f17610042ee41aaa3eff40b1a349b43f317ff92f6ec5b7608e.exe
    "C:\Users\Admin\AppData\Local\Temp\f2fe3aa0d244d7f17610042ee41aaa3eff40b1a349b43f317ff92f6ec5b7608e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Users\Admin\AppData\Local\Temp\f2fe3aa0d244d7f17610042ee41aaa3eff40b1a349b43f317ff92f6ec5b7608e.exe
      "C:\Users\Admin\AppData\Local\Temp\f2fe3aa0d244d7f17610042ee41aaa3eff40b1a349b43f317ff92f6ec5b7608e.exe"
      2⤵
        PID:2840
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 512
          3⤵
          • Program crash
          PID:1916
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2840 -ip 2840
      1⤵
        PID:2204
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4076

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1600-0-0x0000000074EE0000-0x0000000075690000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1600-1-0x0000000000240000-0x000000000033E000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/1600-2-0x0000000004E20000-0x0000000004E30000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1600-3-0x0000000004CC0000-0x0000000004D6E000-memory.dmp
          Filesize

          696KB

          Download
        • memory/1600-4-0x00000000053E0000-0x0000000005984000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/1600-5-0x0000000004ED0000-0x0000000004F62000-memory.dmp
          Filesize

          584KB

          Download
        • memory/1600-6-0x0000000004F70000-0x000000000500C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/1600-7-0x0000000004E10000-0x0000000004E18000-memory.dmp
          Filesize

          32KB

          Download
        • memory/1600-21-0x0000000074EE0000-0x0000000075690000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2840-9-0x0000000000630000-0x00000000006B2000-memory.dmp
          Filesize

          520KB

          Download
        • memory/2840-14-0x0000000000630000-0x00000000006B2000-memory.dmp
          Filesize

          520KB

          Download
        • memory/2840-20-0x0000000000630000-0x00000000006B2000-memory.dmp
          Filesize

          520KB

          Download