Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
10-05-2024 18:17
Static task
static1
Behavioral task
behavioral1
Sample
Chibldacfsxzsf.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Chibldacfsxzsf.exe
Resource
win10v2004-20240426-en
General
-
Target
Chibldacfsxzsf.exe
-
Size
894KB
-
MD5
6850f1f6c863132bc4111613d5af8597
-
SHA1
2f6ac44f7bbc9ecf4a0b791af3ad559481b369b0
-
SHA256
49d61c568a1fc02a955bee79f81f4474d39a878b83072c12c0a8a1352659e1c0
-
SHA512
ecb2ece1a470c9dac6be787d5fe8246fd8ac3528fc141a751477386a306ca12c479ba668e946c2caeaf456ffdfb299d10f3e16841e9829da76c4fdd883e80ffa
-
SSDEEP
24576:Fs4e9k02lMgvVO4Zl3SMgI58BcGg2cvGj81rQGXE:FSk24Zl3SMgGCcGg2cvGj81rQGXE
Malware Config
Extracted
remcos
kc FILE
91.223.3.151:4508
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-6ZM3S3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2544-39-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/2544-33-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/2544-47-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/3900-32-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/3900-49-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral1/memory/4072-40-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2544-39-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/4072-37-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2544-33-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2544-47-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/3900-32-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/3900-49-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
cadlbihC.pifcadlbihC.pifcadlbihC.pifcadlbihC.pifpid Process 3440 cadlbihC.pif 3900 cadlbihC.pif 2544 cadlbihC.pif 4072 cadlbihC.pif -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
cadlbihC.pifdescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cadlbihC.pif -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Chibldacfsxzsf.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chibldac = "C:\\Users\\Public\\Chibldac.url" Chibldacfsxzsf.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Chibldacfsxzsf.execadlbihC.pifdescription pid Process procid_target PID 3484 set thread context of 3440 3484 Chibldacfsxzsf.exe 74 PID 3440 set thread context of 3900 3440 cadlbihC.pif 75 PID 3440 set thread context of 2544 3440 cadlbihC.pif 76 PID 3440 set thread context of 4072 3440 cadlbihC.pif 77 -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
cadlbihC.pifcadlbihC.pifpid Process 3900 cadlbihC.pif 3900 cadlbihC.pif 4072 cadlbihC.pif 4072 cadlbihC.pif 3900 cadlbihC.pif 3900 cadlbihC.pif -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
cadlbihC.pifpid Process 3440 cadlbihC.pif -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
cadlbihC.pifpid Process 3440 cadlbihC.pif 3440 cadlbihC.pif 3440 cadlbihC.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cadlbihC.pifdescription pid Process Token: SeDebugPrivilege 4072 cadlbihC.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cadlbihC.pifpid Process 3440 cadlbihC.pif -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Chibldacfsxzsf.execadlbihC.pifdescription pid Process procid_target PID 3484 wrote to memory of 2744 3484 Chibldacfsxzsf.exe 73 PID 3484 wrote to memory of 2744 3484 Chibldacfsxzsf.exe 73 PID 3484 wrote to memory of 2744 3484 Chibldacfsxzsf.exe 73 PID 3484 wrote to memory of 3440 3484 Chibldacfsxzsf.exe 74 PID 3484 wrote to memory of 3440 3484 Chibldacfsxzsf.exe 74 PID 3484 wrote to memory of 3440 3484 Chibldacfsxzsf.exe 74 PID 3484 wrote to memory of 3440 3484 Chibldacfsxzsf.exe 74 PID 3484 wrote to memory of 3440 3484 Chibldacfsxzsf.exe 74 PID 3440 wrote to memory of 3900 3440 cadlbihC.pif 75 PID 3440 wrote to memory of 3900 3440 cadlbihC.pif 75 PID 3440 wrote to memory of 3900 3440 cadlbihC.pif 75 PID 3440 wrote to memory of 2544 3440 cadlbihC.pif 76 PID 3440 wrote to memory of 2544 3440 cadlbihC.pif 76 PID 3440 wrote to memory of 2544 3440 cadlbihC.pif 76 PID 3440 wrote to memory of 4072 3440 cadlbihC.pif 77 PID 3440 wrote to memory of 4072 3440 cadlbihC.pif 77 PID 3440 wrote to memory of 4072 3440 cadlbihC.pif 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe"C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\\Users\\Public\\Libraries\\Chibldac.PIF2⤵PID:2744
-
-
C:\Users\Public\Libraries\cadlbihC.pifC:\Users\Public\Libraries\cadlbihC.pif2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Users\Public\Libraries\cadlbihC.pifC:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\rigvjimsxjdzunlblmeoaxchvbnni"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3900
-
-
C:\Users\Public\Libraries\cadlbihC.pifC:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\cklokbxulrvexbhfcxrqlkxqehxojcuh"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2544
-
-
C:\Users\Public\Libraries\cadlbihC.pifC:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\meqg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5eb8c1a99928aed30e20731b21b7877fd
SHA1197beb7513c5716a461a18d0b5d8fd77f699f6ba
SHA256e4dc7124c508dc471cf452b017f2994cf46813ae563c97c51bd2f7d6e5bb883b
SHA512efa8034445409ab87ac3396677978298df5c3d2fd84a47e0d95d137325549020d445cbf74974170e8aea5b3d20eb79aaa209e9656fc36190a35fc9c61f9cc830
-
Filesize
4KB
MD5cb998c648b6f4ad55a89eb482aac3598
SHA10965844779ba17661d18e216289ae0422777b689
SHA256ea32319f2bc8d294d729b82a946fb2a0eedf37902a04c01efb5a75efbecdb395
SHA51297dedfbc8ad9b6149a8e044669efb69539ba9f738b032aa2408e759dd16b86f86d9364af2f229c2fad70c8ede6a42767c5f112a2eb7452de6334ac2b34dc4124
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6