Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Elektroing...rs.app

macos-10.15-amd64

1

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    472KB

  • MD5

    04b8fc8f6182aa25305b19c0917aa7d7

  • SHA1

    fcf7d768cb6ba5067723b694984fd20b8e0a079a

  • SHA256

    f08569862f95f332a676932f77eed6f4321c1e6bf3f24a6f3398dc6608ca8353

  • SHA512

    0118012b0eb44b91037b8a31fb5fd3fc55042d9009756badf221d9c24943e294521688cc90c47285ecd11d165a8c6b6bf4bcf6675d0412e2c385346e8cc53811

  • SSDEEP

    12288:vi3hR5SANo8/O2zaKBtD1sJG9GIzwmG5hvnHQ:K3hv5j/zbDmskwwm+dQ

Score
10/10
remcosremotehostcollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

64.188.27.90:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-COHIYL

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        C:\Users\Admin\AppData\Local\Temp\file.exe /stext "C:\Users\Admin\AppData\Local\Temp\nqckzwmuruckjelqdqvtdsvzwzon"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1960
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        C:\Users\Admin\AppData\Local\Temp\file.exe /stext "C:\Users\Admin\AppData\Local\Temp\xkpuagwwfcupukhumaiugfqienfwqba"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:1940
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        C:\Users\Admin\AppData\Local\Temp\file.exe /stext "C:\Users\Admin\AppData\Local\Temp\imunbyhptkmuwqvydlvorkkznupfjmqwph"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nqckzwmuruckjelqdqvtdsvzwzon
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk
    Filesize

    922B

    MD5

    8b5e2111aa1fb4652d22b7e33b2e62e7

    SHA1

    c646b435f668fa44d460ca8e8f6f683f8f5ae99d

    SHA256

    c0d0f8048c1317f6dff01fe703a8d19711e24f2970385c0eded0a6fa957c8286

    SHA512

    cf3e2257358e5713e86360107926b57aa4ca799345097fc1ed565b6c0ea434ef76f4e5560d636876ce97134c9920c3d599aa51b611998c99b821ce25593dcf1e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsi2405.tmp\BgImage.dll
    Filesize

    7KB

    MD5

    9436196007f65f0ae96f64b1c8b2572e

    SHA1

    4b004b5c2865c9450876be83faa8cc96e1d12c01

    SHA256

    286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9

    SHA512

    5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsi2405.tmp\System.dll
    Filesize

    11KB

    MD5

    8b3830b9dbf87f84ddd3b26645fed3a0

    SHA1

    223bef1f19e644a610a0877d01eadc9e28299509

    SHA256

    f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    SHA512

    d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsi2405.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    82c3f38cd34739872af07443c65d0bd8

    SHA1

    1f4ee2d394404a291eda6419f856adaf4b960237

    SHA256

    59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311

    SHA512

    3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d

    Download Submit

  • memory/1916-75-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1916-71-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1916-63-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1916-65-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1916-66-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1940-84-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1940-69-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1940-62-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1940-64-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1940-58-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1940-70-0x0000000077310000-0x00000000774B9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1960-67-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1960-80-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1960-60-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1960-68-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1960-57-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1960-72-0x0000000077310000-0x00000000774B9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2540-89-0x0000000035C00000-0x0000000035C19000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2540-95-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-51-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-101-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-83-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-100-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-90-0x0000000035C00000-0x0000000035C19000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2540-52-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-86-0x0000000035C00000-0x0000000035C19000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2540-91-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-92-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-93-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-94-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-50-0x0000000077310000-0x00000000774B9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2540-96-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-97-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-98-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-99-0x0000000000490000-0x00000000014F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2932-49-0x0000000077310000-0x00000000774B9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2932-48-0x0000000077311000-0x0000000077412000-memory.dmp

    Filesize

    1.0MB

    Download