Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 04:06

General

  • Target

    575a456e17b2f57fd8916c13085b5aac.exe

  • Size

    367KB

  • MD5

    575a456e17b2f57fd8916c13085b5aac

  • SHA1

    b49687b43069bd67acc14066d8cdd53f19ac59d1

  • SHA256

    9612bdf95adfb2b39930e025fa8e7b14ac96112b232586ddd45fc839eb59c836

  • SHA512

    494cf5a2fa7296e0e61d18fa6c89ddc4e943db3e6690c4edf26cd18fe0099be1dd0dc4f4184c86156cd0ddc3eb671e90ee7eb8521a83be237e7037f7cf1bee12

  • SSDEEP

    6144:wQ606xhLEeGsClQTAgJeCNoDObrV6BOJaB+f+aBL5k84mK3OqFyhvnv/F:wNTwaAgoCNoDO6uaBM+8kOKlyhvnHF

Malware Config

Extracted

Family

remcos

Botnet

CEYE

C2

64.188.26.202:1604

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Vexploio.exe

  • copy_folder

    Vexplo

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-RXKA3P

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\575a456e17b2f57fd8916c13085b5aac.exe
    "C:\Users\Admin\AppData\Local\Temp\575a456e17b2f57fd8916c13085b5aac.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\575a456e17b2f57fd8916c13085b5aac.exe
      "C:\Users\Admin\AppData\Local\Temp\575a456e17b2f57fd8916c13085b5aac.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\ProgramData\Vexplo\Vexploio.exe
        "C:\ProgramData\Vexplo\Vexploio.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\ProgramData\Vexplo\Vexploio.exe
          "C:\ProgramData\Vexplo\Vexploio.exe"
          4⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            5⤵
              PID:1016
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
                PID:412
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                5⤵
                  PID:1004
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  5⤵
                    PID:1892
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe
                    5⤵
                      PID:908
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe
                      5⤵
                        PID:1020
                      • C:\Windows\SysWOW64\svchost.exe
                        svchost.exe
                        5⤵
                          PID:2344
                        • C:\Windows\SysWOW64\svchost.exe
                          svchost.exe
                          5⤵
                            PID:2148
                          • C:\Windows\SysWOW64\svchost.exe
                            svchost.exe
                            5⤵
                              PID:2756
                            • C:\Windows\SysWOW64\svchost.exe
                              svchost.exe
                              5⤵
                                PID:2580
                              • C:\Windows\SysWOW64\svchost.exe
                                svchost.exe
                                5⤵
                                  PID:2704
                                • C:\Windows\SysWOW64\svchost.exe
                                  svchost.exe
                                  5⤵
                                    PID:2680
                                  • C:\Windows\SysWOW64\svchost.exe
                                    svchost.exe
                                    5⤵
                                      PID:2932
                                    • C:\Windows\SysWOW64\svchost.exe
                                      svchost.exe
                                      5⤵
                                        PID:780
                                      • C:\Windows\SysWOW64\svchost.exe
                                        svchost.exe
                                        5⤵
                                          PID:2844
                                        • C:\Windows\SysWOW64\svchost.exe
                                          svchost.exe
                                          5⤵
                                            PID:1716
                                          • C:\Windows\SysWOW64\svchost.exe
                                            svchost.exe
                                            5⤵
                                              PID:820

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\ProgramData\Vexplo\Vexploio.exe

                                      Filesize

                                      367KB

                                      MD5

                                      575a456e17b2f57fd8916c13085b5aac

                                      SHA1

                                      b49687b43069bd67acc14066d8cdd53f19ac59d1

                                      SHA256

                                      9612bdf95adfb2b39930e025fa8e7b14ac96112b232586ddd45fc839eb59c836

                                      SHA512

                                      494cf5a2fa7296e0e61d18fa6c89ddc4e943db3e6690c4edf26cd18fe0099be1dd0dc4f4184c86156cd0ddc3eb671e90ee7eb8521a83be237e7037f7cf1bee12

                                    • C:\Users\Admin\AppData\Local\Temp\App.ini

                                      Filesize

                                      95B

                                      MD5

                                      fc700cbaeaf064e46e8d0b0f268d30a7

                                      SHA1

                                      b5103cee9d860ca8e800afb8b886d8439b0646f5

                                      SHA256

                                      3a03f84d01f65aa2a933a88c26f4e440cab55ccb004ca10c4616131878904c1b

                                      SHA512

                                      56905ffd314634c36fef1ebf431017d2b8c0439f458fdb9b650dd25f6bbca3b0feab45dae8bea1d068b179024c7f514e5cb4c6f974dc392ed9789fe60a792243

                                    • C:\Users\Admin\AppData\Local\Temp\tmc.ini

                                      Filesize

                                      25B

                                      MD5

                                      ecb33f100e1fca0eb01b36757ef3cac8

                                      SHA1

                                      61dc848dd725db72746e332d040a032c726c9816

                                      SHA256

                                      8734652a2a9e57b56d6cbd22fa9f305fc4691510606bcd2dfca248d1bf9e79c7

                                      SHA512

                                      d56951ac8d3eb88020e79f4581cb9282ca40faa8adc4d2f5b8864779e28e5229f5dfe13096cf4b373bbc9bc2ac4bfc58955d9420136fb13537f11c137d633c18

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk

                                      Filesize

                                      910B

                                      MD5

                                      e11ec2bc88362ddbfde75715474debbb

                                      SHA1

                                      75dbf2c29481346ae7894519d9f1ef43ae996009

                                      SHA256

                                      69203b44985d1c1164f9a216444f0d9068b924bf1d36a211a25f23a55195466b

                                      SHA512

                                      a8d5622620ca756fe5686768ebf222a9e53b8eaab135c95f5a306ab02eee90437a8b5e16c224827ac8682fcd74d37c990e3e1536870dfc9324bcc107f4bee41a

                                    • C:\Users\Admin\AppData\Roaming\typerne\Antimasquer.exe

                                      Filesize

                                      367KB

                                      MD5

                                      3f9e85ff25b073cec3c1c93685ab6ce4

                                      SHA1

                                      52826e0e48e4ae38c1dc62dde09c3d81c8404e72

                                      SHA256

                                      328d8d15570d58af887a6a555d13de81359f13188af604b9aea65bf85218a589

                                      SHA512

                                      1517b72dafe4964e505d243f44d95b0df74802054ecfb92abce6bf3e0c77bf98d5abd8770f3786dce54d79753ba6271dc0b16621165f7009d86fa19a258dbbb4

                                    • C:\Users\Admin\Thoracodelphus\Ginias217\Geishas.Pin

                                      MD5

                                      d41d8cd98f00b204e9800998ecf8427e

                                      SHA1

                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                      SHA256

                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                      SHA512

                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    • \Users\Admin\AppData\Local\Temp\nsd203E.tmp\BgImage.dll

                                      Filesize

                                      7KB

                                      MD5

                                      9436196007f65f0ae96f64b1c8b2572e

                                      SHA1

                                      4b004b5c2865c9450876be83faa8cc96e1d12c01

                                      SHA256

                                      286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9

                                      SHA512

                                      5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e

                                    • \Users\Admin\AppData\Local\Temp\nsd203E.tmp\System.dll

                                      Filesize

                                      11KB

                                      MD5

                                      8b3830b9dbf87f84ddd3b26645fed3a0

                                      SHA1

                                      223bef1f19e644a610a0877d01eadc9e28299509

                                      SHA256

                                      f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

                                      SHA512

                                      d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

                                    • \Users\Admin\AppData\Local\Temp\nsd203E.tmp\nsDialogs.dll

                                      Filesize

                                      9KB

                                      MD5

                                      82c3f38cd34739872af07443c65d0bd8

                                      SHA1

                                      1f4ee2d394404a291eda6419f856adaf4b960237

                                      SHA256

                                      59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311

                                      SHA512

                                      3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d

                                    • memory/412-146-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/780-189-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/908-157-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1004-149-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1016-144-0x0000000000400000-0x0000000000468000-memory.dmp

                                      Filesize

                                      416KB

                                    • memory/1016-145-0x0000000000400000-0x0000000000468000-memory.dmp

                                      Filesize

                                      416KB

                                    • memory/1016-143-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1020-160-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1892-153-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2148-168-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2292-48-0x00000000037C0000-0x00000000067A8000-memory.dmp

                                      Filesize

                                      47.9MB

                                    • memory/2292-67-0x00000000037C0000-0x00000000067A8000-memory.dmp

                                      Filesize

                                      47.9MB

                                    • memory/2292-54-0x00000000037C0000-0x00000000067A8000-memory.dmp

                                      Filesize

                                      47.9MB

                                    • memory/2292-49-0x0000000077441000-0x0000000077542000-memory.dmp

                                      Filesize

                                      1.0MB

                                    • memory/2292-50-0x0000000077440000-0x00000000775E9000-memory.dmp

                                      Filesize

                                      1.7MB

                                    • memory/2344-164-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2556-66-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/2556-55-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/2556-53-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/2556-51-0x0000000077440000-0x00000000775E9000-memory.dmp

                                      Filesize

                                      1.7MB

                                    • memory/2580-175-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2680-182-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2704-178-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2756-171-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2844-193-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2932-186-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3016-174-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/3016-156-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/3016-139-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/3016-181-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/3016-152-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/3016-185-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/3016-167-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/3016-138-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/3016-192-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB

                                    • memory/3016-163-0x0000000000470000-0x00000000014D2000-memory.dmp

                                      Filesize

                                      16.4MB