Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 11:17
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe
-
Size
2.4MB
-
MD5
2c7e09a9d26e501906d4e75688b853d4
-
SHA1
4c547055d4be1a7fe94a0d245a8dd3c2168bbf7a
-
SHA256
92fb10cf31703cafd85fd04fedb97c6ea5df8844850cbd355ac7482bf7bb75f9
-
SHA512
e6ca9edb27903309e500fd34e657d80e50721d31ea2fe9e6b4c3d05c44ea92d22c9de9271f3ee3e007d96ecd778ac74ad7f5300e44aa4f355916a182ecca92a4
-
SSDEEP
49152:VC1bkzSYl+aFUUhf3LIE3VEalMlQMW0svMwU5rx2hjp0:VOoL33VEalsIRUdxh
Malware Config
Extracted
remcos
4.9.3 Light
RemoteHost
127.0.0.1:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-52SPIJ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exepid process 2860 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exepid process 2588 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exepid process 2588 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exedescription pid process target process PID 2860 wrote to memory of 2588 2860 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe PID 2860 wrote to memory of 2588 2860 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe PID 2860 wrote to memory of 2588 2860 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe PID 2860 wrote to memory of 2588 2860 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe PID 2860 wrote to memory of 2588 2860 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe PID 2860 wrote to memory of 2588 2860 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe PID 2860 wrote to memory of 2588 2860 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe"1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588