Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 18:17
Static task
static1
Behavioral task
behavioral1
Sample
Chibldacfsxzsf.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Chibldacfsxzsf.exe
Resource
win10v2004-20240426-en
General
-
Target
Chibldacfsxzsf.exe
-
Size
894KB
-
MD5
6850f1f6c863132bc4111613d5af8597
-
SHA1
2f6ac44f7bbc9ecf4a0b791af3ad559481b369b0
-
SHA256
49d61c568a1fc02a955bee79f81f4474d39a878b83072c12c0a8a1352659e1c0
-
SHA512
ecb2ece1a470c9dac6be787d5fe8246fd8ac3528fc141a751477386a306ca12c479ba668e946c2caeaf456ffdfb299d10f3e16841e9829da76c4fdd883e80ffa
-
SSDEEP
24576:Fs4e9k02lMgvVO4Zl3SMgI58BcGg2cvGj81rQGXE:FSk24Zl3SMgGCcGg2cvGj81rQGXE
Malware Config
Extracted
remcos
kc FILE
91.223.3.151:4508
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-6ZM3S3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4172-35-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/4172-41-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4168-40-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4168-34-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4168-51-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral2/memory/4172-35-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/1376-42-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4172-41-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/1376-45-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4168-40-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1376-43-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4168-34-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4168-51-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
cadlbihC.pifcadlbihC.pifcadlbihC.pifcadlbihC.pifpid Process 3572 cadlbihC.pif 4168 cadlbihC.pif 4172 cadlbihC.pif 1376 cadlbihC.pif -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
cadlbihC.pifdescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cadlbihC.pif -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Chibldacfsxzsf.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chibldac = "C:\\Users\\Public\\Chibldac.url" Chibldacfsxzsf.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Chibldacfsxzsf.execadlbihC.pifdescription pid Process procid_target PID 1524 set thread context of 3572 1524 Chibldacfsxzsf.exe 95 PID 3572 set thread context of 4168 3572 cadlbihC.pif 96 PID 3572 set thread context of 4172 3572 cadlbihC.pif 97 PID 3572 set thread context of 1376 3572 cadlbihC.pif 98 -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 36 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
cadlbihC.pifcadlbihC.pifpid Process 4168 cadlbihC.pif 4168 cadlbihC.pif 1376 cadlbihC.pif 1376 cadlbihC.pif 4168 cadlbihC.pif 4168 cadlbihC.pif -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
cadlbihC.pifpid Process 3572 cadlbihC.pif 3572 cadlbihC.pif 3572 cadlbihC.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cadlbihC.pifdescription pid Process Token: SeDebugPrivilege 1376 cadlbihC.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cadlbihC.pifpid Process 3572 cadlbihC.pif -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Chibldacfsxzsf.execadlbihC.pifdescription pid Process procid_target PID 1524 wrote to memory of 2852 1524 Chibldacfsxzsf.exe 94 PID 1524 wrote to memory of 2852 1524 Chibldacfsxzsf.exe 94 PID 1524 wrote to memory of 2852 1524 Chibldacfsxzsf.exe 94 PID 1524 wrote to memory of 3572 1524 Chibldacfsxzsf.exe 95 PID 1524 wrote to memory of 3572 1524 Chibldacfsxzsf.exe 95 PID 1524 wrote to memory of 3572 1524 Chibldacfsxzsf.exe 95 PID 1524 wrote to memory of 3572 1524 Chibldacfsxzsf.exe 95 PID 1524 wrote to memory of 3572 1524 Chibldacfsxzsf.exe 95 PID 3572 wrote to memory of 4168 3572 cadlbihC.pif 96 PID 3572 wrote to memory of 4168 3572 cadlbihC.pif 96 PID 3572 wrote to memory of 4168 3572 cadlbihC.pif 96 PID 3572 wrote to memory of 4172 3572 cadlbihC.pif 97 PID 3572 wrote to memory of 4172 3572 cadlbihC.pif 97 PID 3572 wrote to memory of 4172 3572 cadlbihC.pif 97 PID 3572 wrote to memory of 1376 3572 cadlbihC.pif 98 PID 3572 wrote to memory of 1376 3572 cadlbihC.pif 98 PID 3572 wrote to memory of 1376 3572 cadlbihC.pif 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe"C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\\Users\\Public\\Libraries\\Chibldac.PIF2⤵PID:2852
-
-
C:\Users\Public\Libraries\cadlbihC.pifC:\Users\Public\Libraries\cadlbihC.pif2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Public\Libraries\cadlbihC.pifC:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\hfzneiqeillzpbjsctxbmpbixl"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4168
-
-
C:\Users\Public\Libraries\cadlbihC.pifC:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\rhexeabgwtddahxwmwkdptwrfrjtg"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:4172
-
-
C:\Users\Public\Libraries\cadlbihC.pifC:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\ubkqftmzkcvqcvtadhwwagiiggtchkxq"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5f108f146496b6ed78c42a3737a6a4f50
SHA167ba5913d87d31f73639cc07ef0bbf9004e1c2cb
SHA256c9294bd32ce4712fda8ec5e2ccd7279c46e8ca38fba0b8e49c9a3b1b58d8fea8
SHA51260de58535eed0fa5cdc1e6c7f2dc6b382b1ffa2acc461712ffc1529d796e8f6d24cda3aa52ecf5c3ef4dad952330d58023aa5b85dffebeecfe2b5fe1a36f4e4f
-
Filesize
4KB
MD5788d7419b32411807cc6753cbbccecbe
SHA1761b99a1e5bc168f525181d78cff3f6ed82daa14
SHA25676150e857b36f1f070422d2ad4df17f87454466348e4bfc158b028977378140b
SHA5123003f104b0b07870015ff4e9e0d254c2e537d4c68ef664a772d7018827b0ccbeb5481a2ce587b88e6ab1d71d6ce523a620c11c00c676857d5fd5ab949fa617b4
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6