Overview
overview
10Static
static
3BLdraftedC...24.exe
windows7-x64
10BLdraftedC...24.exe
windows10-2004-x64
10$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Elektroing...rs.app
macos-10.15-amd64
1Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 08:26
Static task
static1
Behavioral task
behavioral1
Sample
BLdraftedCopy200524.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
BLdraftedCopy200524.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Elektroingenirers/Sabbatters.app
Resource
macos-20240410-en
General
-
Target
BLdraftedCopy200524.exe
-
Size
472KB
-
MD5
04b8fc8f6182aa25305b19c0917aa7d7
-
SHA1
fcf7d768cb6ba5067723b694984fd20b8e0a079a
-
SHA256
f08569862f95f332a676932f77eed6f4321c1e6bf3f24a6f3398dc6608ca8353
-
SHA512
0118012b0eb44b91037b8a31fb5fd3fc55042d9009756badf221d9c24943e294521688cc90c47285ecd11d165a8c6b6bf4bcf6675d0412e2c385346e8cc53811
-
SSDEEP
12288:vi3hR5SANo8/O2zaKBtD1sJG9GIzwmG5hvnHQ:K3hv5j/zbDmskwwm+dQ
Malware Config
Extracted
remcos
RemoteHost
64.188.27.90:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-COHIYL
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2952-72-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/2952-88-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/2924-67-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2924-61-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2924-79-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2996-66-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2996-70-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2924-67-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2924-61-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2996-73-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2952-72-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2924-79-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2952-88-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
Loads dropped DLL 3 IoCs
Processes:
BLdraftedCopy200524.exepid process 2552 BLdraftedCopy200524.exe 2552 BLdraftedCopy200524.exe 2552 BLdraftedCopy200524.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
BLdraftedCopy200524.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts BLdraftedCopy200524.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
BLdraftedCopy200524.exepid process 2864 BLdraftedCopy200524.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
BLdraftedCopy200524.exeBLdraftedCopy200524.exepid process 2552 BLdraftedCopy200524.exe 2864 BLdraftedCopy200524.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
BLdraftedCopy200524.exeBLdraftedCopy200524.exedescription pid process target process PID 2552 set thread context of 2864 2552 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 set thread context of 2924 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 set thread context of 2952 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 set thread context of 2996 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
BLdraftedCopy200524.exepid process 2924 BLdraftedCopy200524.exe 2924 BLdraftedCopy200524.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
BLdraftedCopy200524.exeBLdraftedCopy200524.exepid process 2552 BLdraftedCopy200524.exe 2864 BLdraftedCopy200524.exe 2864 BLdraftedCopy200524.exe 2864 BLdraftedCopy200524.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BLdraftedCopy200524.exedescription pid process Token: SeDebugPrivilege 2996 BLdraftedCopy200524.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
BLdraftedCopy200524.exeBLdraftedCopy200524.exedescription pid process target process PID 2552 wrote to memory of 2864 2552 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2552 wrote to memory of 2864 2552 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2552 wrote to memory of 2864 2552 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2552 wrote to memory of 2864 2552 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2552 wrote to memory of 2864 2552 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2552 wrote to memory of 2864 2552 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2924 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2924 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2924 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2924 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2952 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2952 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2952 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2952 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2996 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2996 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2996 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 2864 wrote to memory of 2996 2864 BLdraftedCopy200524.exe BLdraftedCopy200524.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exeC:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\apfsivigjwfeixqarx"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exeC:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\kjlcjnshxfxrslnejhsgo"3⤵
- Accesses Microsoft Outlook accounts
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exeC:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\ndyvkgdblnpvvrbissmzzqjfe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\apfsivigjwfeixqarxFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnkFilesize
922B
MD5082597d04652fb48cf5cd634e44750a3
SHA1e8496ac7314800233a67e099741a65f25471a283
SHA25691746ebea171bc277445841c213f19c0de4baae3e7af50b1a5132ac7ec562cac
SHA512a3b745a894c41b32d5993b93ef3a954253d4ffa54dcee54a4f3f0d261eb89407fdf868aad6b10db3fcdc3d4ce00def7713b1aabcdb9f5662918ff3c4d49859a7
-
\Users\Admin\AppData\Local\Temp\nso3709.tmp\BgImage.dllFilesize
7KB
MD59436196007f65f0ae96f64b1c8b2572e
SHA14b004b5c2865c9450876be83faa8cc96e1d12c01
SHA256286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9
SHA5125c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e
-
\Users\Admin\AppData\Local\Temp\nso3709.tmp\System.dllFilesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
\Users\Admin\AppData\Local\Temp\nso3709.tmp\nsDialogs.dllFilesize
9KB
MD582c3f38cd34739872af07443c65d0bd8
SHA11f4ee2d394404a291eda6419f856adaf4b960237
SHA25659cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311
SHA5123a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d
-
memory/2552-48-0x0000000077131000-0x0000000077232000-memory.dmpFilesize
1.0MB
-
memory/2552-49-0x0000000077130000-0x00000000772D9000-memory.dmpFilesize
1.7MB
-
memory/2864-95-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-91-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-96-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-51-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-100-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-50-0x0000000077130000-0x00000000772D9000-memory.dmpFilesize
1.7MB
-
memory/2864-94-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-93-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-92-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-53-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-90-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-86-0x0000000035C00000-0x0000000035C19000-memory.dmpFilesize
100KB
-
memory/2864-87-0x0000000035C00000-0x0000000035C19000-memory.dmpFilesize
100KB
-
memory/2864-99-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-98-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-97-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2864-83-0x0000000035C00000-0x0000000035C19000-memory.dmpFilesize
100KB
-
memory/2864-82-0x0000000000490000-0x00000000014F2000-memory.dmpFilesize
16.4MB
-
memory/2924-57-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2924-79-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2924-60-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2924-61-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2924-67-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2924-68-0x0000000077130000-0x00000000772D9000-memory.dmpFilesize
1.7MB
-
memory/2952-72-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/2952-88-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/2952-62-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/2952-64-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/2952-69-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/2952-71-0x0000000077130000-0x00000000772D9000-memory.dmpFilesize
1.7MB
-
memory/2996-66-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2996-73-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2996-63-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2996-65-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2996-70-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB