Overview

overview

10

Static

static

3

vape.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 20:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vape.exe

  • Size

    60.3MB

  • MD5

    52948b3f8fb248f63377473b579aaab4

  • SHA1

    0913e3f4f6e2a6e227a8b385e6ec1bbf5dda5ffa

  • SHA256

    7e1c90f994d36d2bd947109c72fe6ffe39cfe54e8064b618255e27d0328717a4

  • SHA512

    a03e7c4b9032e6e66b94e0199c7cfaafc0191064ba81cb78a08a0e82a8acabca3982d826570216ac9712354e96d5f7f653dc71d7c9f7e8f2c8dd6c40330d37ea

  • SSDEEP

    1572864:vHNfIc/bDS7YL3iUqekIR681ttq+NDVK3ZiFx4mdSG:vZzz+7stopJwCmIG

Score
10/10
remcoshostingcollectionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

Hosting

C2

education-delete.gl.at.ply.gg:49970

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Start.exe

  • copy_folder

    Start

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    WD

  • mouse_option

    false

  • mutex

    Rmc-DTLAVU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Start

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vape.exe
    "C:\Users\Admin\AppData\Local\Temp\vape.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4744
    • C:\Users\Admin\AppData\Local\Temp\test.exe
      "C:\Users\Admin\AppData\Local\Temp\test.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:608
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Windows\Start\Start.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\Start\Start.exe
            C:\Windows\Start\Start.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3504
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
                PID:4408
              • C:\Windows\Start\Start.exe
                C:\Windows\Start\Start.exe /stext "C:\Users\Admin\AppData\Local\Temp\qwttslxqh"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:1232
              • C:\Windows\Start\Start.exe
                C:\Windows\Start\Start.exe /stext "C:\Users\Admin\AppData\Local\Temp\byymtwikdjbe"
                6⤵
                • Executes dropped EXE
                • Accesses Microsoft Outlook accounts
                PID:4476
              • C:\Windows\Start\Start.exe
                C:\Windows\Start\Start.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltdeuoslrrtjold"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1580
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ynnnajmktss.vbs"
                6⤵
                  PID:1608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.vbs
        Filesize

        374B

        MD5

        f60cc4eeca4c8041a937a90d3ff2101f

        SHA1

        0afff521ea9206c4b005bc00a0900e786dc25ac2

        SHA256

        181b0744bb4c4fe2506b30501ae94e4c58797c80a93504df2e15e5e300aa45fb

        SHA512

        9693d82ca9b7f4d6fd582997627e7e05a0d28e31641180caeb026b75e7cc45547bc1805b50fb6c92306a42923b51db9d0a2f9e142686b05189b5256fc5d3d093

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\qwttslxqh
        Filesize

        4KB

        MD5

        8651f1ecc401fe73c45d06863467d144

        SHA1

        0150ba4649afe382ae1705552473bba7beb990f4

        SHA256

        51827e101e890667e6d9b8aa7b804d56b53cadc110b5b8b834229788c29a65e8

        SHA512

        c0b371d9080c0e82adae100a9400bb7bd239cfe243c072dde0f9310524b92d16a10db9117403d8af227cef9def552dba7c04da3b3bd46a88836acc071cb9890f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\test.exe
        Filesize

        469KB

        MD5

        0ff8583a950575dc46b6161a1cbedd7f

        SHA1

        994262f8105f356af7c082acc64b124a31e59823

        SHA256

        5de9386a715c53046402e0800ed2923d4aa14189c397886223eda5fe6a502c59

        SHA512

        1f34c829d51866db2352f93a28617b1d55ac67e88dba22f7585aea25f24bd94f38666517c49853f3bcde65b7dcb454c1a0078629d5370c31bdb6d754f245353b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ynnnajmktss.vbs
        Filesize

        496B

        MD5

        38c72c25b6d7c2a1cd21c7beba2516ed

        SHA1

        547c5178f9bf75f04c310bf269c4c4d42bcc7fe5

        SHA256

        9b4e30e0a9938e691e8f815bf8dfad957e866650945ee0144e3a56d3f30899d5

        SHA512

        784b42dea20e415d402513720deb609b4f5b554257b72bea67d4e1ef043cf95e295a2090c5a01fe3ff1ed159eba73850e61e03a3e1ab673273a2e12838a54781

        Download Submit

      • memory/1232-66-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1232-57-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1232-42-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1232-48-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1580-49-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1580-61-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1580-53-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1580-56-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1580-51-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2384-0-0x00007FFD06B13000-0x00007FFD06B15000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2384-27-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2384-1-0x0000000000120000-0x0000000003D6A000-memory.dmp

        Filesize

        60.3MB

        Download

      • memory/2384-2-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4408-38-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/4408-37-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/4476-44-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/4476-55-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/4476-52-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/4476-54-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/4744-40-0x000001BC1FD70000-0x000001BC1FD76000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4744-39-0x000001BC1FD50000-0x000001BC1FD6C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4744-33-0x000001BC055D0000-0x000001BC05602000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4744-32-0x000001BC1DEB0000-0x000001BC1E026000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4744-30-0x000001BC00000000-0x000001BC03C5A000-memory.dmp

        Filesize

        60.4MB

        Download

      • memory/4744-69-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4744-26-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

        Filesize

        10.8MB

        Download