Overview

overview

10

Static

static

10

0af76f2897...d5.exe

windows7-x64

9

0af76f2897...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe

  • Size

    483KB

  • MD5

    f6118a965e44ee55e708edf7adcdc1df

  • SHA1

    d5ed640efe39c52ed9a08841837654979f38b384

  • SHA256

    0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5

  • SHA512

    7aca0810ffda2d45c44186f8d75e19b446e475879123b46d97ec6fa2fd302b3690d5e0f56c9d5ae8b13a4023f9a92bf4b58c1493f3890b8d302a15a8db0caacf

  • SSDEEP

    6144:8XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZsAX4cNA5Gv:8X7tPMK8ctGe4Dzl4h2QnuPs/ZsBcv

Score
10/10
remcoszynovacollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

ZYNOVA

C2

remchukwugixiemu4.duckdns.org:57844

remchukwugixiemu4.duckdns.org:57846

remchukwugix231fgh.duckdns.org:57844

remchukwugix231fgh.duckdns.org:57846
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    lpaowtrts.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    akpleoeurs-QPYUMO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe
    "C:\Users\Admin\AppData\Local\Temp\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Users\Admin\AppData\Local\Temp\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe
      C:\Users\Admin\AppData\Local\Temp\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe /stext "C:\Users\Admin\AppData\Local\Temp\imlgeptiffejxlqsmjqidaddosptyp"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2352
    • C:\Users\Admin\AppData\Local\Temp\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe
      C:\Users\Admin\AppData\Local\Temp\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe /stext "C:\Users\Admin\AppData\Local\Temp\soqzfiejsowohzewvtdjonxuxhhcraelrk"
      2⤵
      • Accesses Microsoft Outlook accounts
      PID:2276
    • C:\Users\Admin\AppData\Local\Temp\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe
      C:\Users\Admin\AppData\Local\Temp\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe /stext "C:\Users\Admin\AppData\Local\Temp\vierga"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4460
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4776

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\imlgeptiffejxlqsmjqidaddosptyp
      Filesize

      4KB

      MD5

      365f45018b7bcc98591979d6c4b23752

      SHA1

      073aff125450845105f5daa7d0e7cc24ee8bbca5

      SHA256

      27be905cdbf87c23851d00d61afd5fcfe5c72b1de227ac7d8c0dc5c7583c9a6e

      SHA512

      4bd0d2266c624b9ad40e9ba6cb4d63debd12f46f5c27afae3bfc20e3e7f5e9f9c88f83151166324223c5889034a4d70652cf747f6943af011191c64c28e18703

      Download Submit
    • memory/2276-22-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/2276-25-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/2276-11-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/2276-4-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/2276-28-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/2352-3-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/2352-13-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/2352-16-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/2352-10-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/2352-30-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/4460-18-0x0000000000430000-0x00000000004F9000-memory.dmp
      Filesize

      804KB

      Download
    • memory/4460-15-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4460-23-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4460-17-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4460-12-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/5060-33-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/5060-39-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/5060-36-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/5060-37-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/5060-38-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download