Overview
overview
10Static
static
3BLdraftedC...24.exe
windows7-x64
10BLdraftedC...24.exe
windows10-2004-x64
10$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Elektroing...rs.app
macos-10.15-amd64
1Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 08:26
Static task
static1
Behavioral task
behavioral1
Sample
BLdraftedCopy200524.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
BLdraftedCopy200524.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Elektroingenirers/Sabbatters.app
Resource
macos-20240410-en
General
-
Target
BLdraftedCopy200524.exe
-
Size
472KB
-
MD5
04b8fc8f6182aa25305b19c0917aa7d7
-
SHA1
fcf7d768cb6ba5067723b694984fd20b8e0a079a
-
SHA256
f08569862f95f332a676932f77eed6f4321c1e6bf3f24a6f3398dc6608ca8353
-
SHA512
0118012b0eb44b91037b8a31fb5fd3fc55042d9009756badf221d9c24943e294521688cc90c47285ecd11d165a8c6b6bf4bcf6675d0412e2c385346e8cc53811
-
SSDEEP
12288:vi3hR5SANo8/O2zaKBtD1sJG9GIzwmG5hvnHQ:K3hv5j/zbDmskwwm+dQ
Malware Config
Extracted
remcos
RemoteHost
64.188.27.90:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-COHIYL
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/836-72-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/836-63-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2900-73-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2900-70-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2900-62-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2900-80-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
Processes:
resource yara_rule behavioral2/memory/4404-74-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2900-73-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4404-78-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4404-71-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2900-70-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2900-62-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/836-72-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/836-63-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2900-80-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Loads dropped DLL 3 IoCs
Processes:
BLdraftedCopy200524.exepid process 5048 BLdraftedCopy200524.exe 5048 BLdraftedCopy200524.exe 5048 BLdraftedCopy200524.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
BLdraftedCopy200524.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts BLdraftedCopy200524.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
BLdraftedCopy200524.exepid process 1432 BLdraftedCopy200524.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
BLdraftedCopy200524.exeBLdraftedCopy200524.exepid process 5048 BLdraftedCopy200524.exe 1432 BLdraftedCopy200524.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
BLdraftedCopy200524.exeBLdraftedCopy200524.exedescription pid process target process PID 5048 set thread context of 1432 5048 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 set thread context of 2900 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 set thread context of 836 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 set thread context of 4404 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
BLdraftedCopy200524.exeBLdraftedCopy200524.exepid process 2900 BLdraftedCopy200524.exe 2900 BLdraftedCopy200524.exe 4404 BLdraftedCopy200524.exe 4404 BLdraftedCopy200524.exe 2900 BLdraftedCopy200524.exe 2900 BLdraftedCopy200524.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
BLdraftedCopy200524.exeBLdraftedCopy200524.exepid process 5048 BLdraftedCopy200524.exe 1432 BLdraftedCopy200524.exe 1432 BLdraftedCopy200524.exe 1432 BLdraftedCopy200524.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BLdraftedCopy200524.exedescription pid process Token: SeDebugPrivilege 4404 BLdraftedCopy200524.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
BLdraftedCopy200524.exeBLdraftedCopy200524.exedescription pid process target process PID 5048 wrote to memory of 1432 5048 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 5048 wrote to memory of 1432 5048 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 5048 wrote to memory of 1432 5048 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 5048 wrote to memory of 1432 5048 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 5048 wrote to memory of 1432 5048 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 wrote to memory of 2900 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 wrote to memory of 2900 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 wrote to memory of 2900 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 wrote to memory of 836 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 wrote to memory of 836 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 wrote to memory of 836 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 wrote to memory of 4404 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 wrote to memory of 4404 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe PID 1432 wrote to memory of 4404 1432 BLdraftedCopy200524.exe BLdraftedCopy200524.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exeC:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\rdxaaakzeimeowul"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exeC:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\bfdtatvtsqerzcqpksp"3⤵
- Accesses Microsoft Outlook accounts
PID:836 -
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exeC:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\mzqdblfvgyowbiebbdbvaiv"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsx80AA.tmp\BgImage.dllFilesize
7KB
MD59436196007f65f0ae96f64b1c8b2572e
SHA14b004b5c2865c9450876be83faa8cc96e1d12c01
SHA256286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9
SHA5125c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e
-
C:\Users\Admin\AppData\Local\Temp\nsx80AA.tmp\System.dllFilesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
C:\Users\Admin\AppData\Local\Temp\nsx80AA.tmp\nsDialogs.dllFilesize
9KB
MD582c3f38cd34739872af07443c65d0bd8
SHA11f4ee2d394404a291eda6419f856adaf4b960237
SHA25659cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311
SHA5123a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d
-
C:\Users\Admin\AppData\Local\Temp\rdxaaakzeimeowulFilesize
4KB
MD5365f45018b7bcc98591979d6c4b23752
SHA1073aff125450845105f5daa7d0e7cc24ee8bbca5
SHA25627be905cdbf87c23851d00d61afd5fcfe5c72b1de227ac7d8c0dc5c7583c9a6e
SHA5124bd0d2266c624b9ad40e9ba6cb4d63debd12f46f5c27afae3bfc20e3e7f5e9f9c88f83151166324223c5889034a4d70652cf747f6943af011191c64c28e18703
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnkFilesize
938B
MD5c5ec4795b57d751ecd916b6389accf0a
SHA133bbd2dcc6657fa259f01722cb69252e1c5f2723
SHA256ca7bec08c85c00ba25a5fb1bd75fd99d744af6916ffd6267731dbe9f525132e6
SHA5125a72b32261facb786168a173b362a6649f8311fdb22c040943c91c26d5618cdf593479284e945f7ab020edee6d699c11aefc9f185b5633f7ab4ded82f0d3eabb
-
memory/836-63-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/836-58-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/836-72-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/836-61-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/1432-55-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-92-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-100-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-98-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-97-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-96-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-95-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-94-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-93-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-53-0x0000000076EB1000-0x0000000076FD1000-memory.dmpFilesize
1.1MB
-
memory/1432-49-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-48-0x0000000076F55000-0x0000000076F56000-memory.dmpFilesize
4KB
-
memory/1432-47-0x0000000076F38000-0x0000000076F39000-memory.dmpFilesize
4KB
-
memory/1432-91-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-90-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-89-0x0000000076EB1000-0x0000000076FD1000-memory.dmpFilesize
1.1MB
-
memory/1432-88-0x0000000000490000-0x00000000016E4000-memory.dmpFilesize
18.3MB
-
memory/1432-87-0x0000000036EE0000-0x0000000036EF9000-memory.dmpFilesize
100KB
-
memory/1432-86-0x0000000036EE0000-0x0000000036EF9000-memory.dmpFilesize
100KB
-
memory/1432-83-0x0000000036EE0000-0x0000000036EF9000-memory.dmpFilesize
100KB
-
memory/2900-70-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2900-80-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2900-56-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2900-60-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2900-73-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2900-62-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4404-65-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4404-66-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4404-71-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4404-78-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4404-74-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/5048-45-0x0000000076EB1000-0x0000000076FD1000-memory.dmpFilesize
1.1MB
-
memory/5048-46-0x0000000010004000-0x0000000010005000-memory.dmpFilesize
4KB