Overview

overview

10

Static

static

3

c5568321b4...cs.exe

windows7-x64

10

c5568321b4...cs.exe

windows10-2004-x64

10

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Milieubesk...rs.com

windows7-x64

Milieubesk...rs.com

windows10-2004-x64

Sabbatters.app

macos-10.15-amd64

1

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

  • Size

    349KB

  • MD5

    c5568321b40f1d51afac49234d2de480

  • SHA1

    c5169e1d05419bb698b86704ae8f3cbe7011d42e

  • SHA256

    560b3bba2f6d3e74b1901904c7ea9e7c61f94c754e648cb6503abaa233d7c485

  • SHA512

    f15d0141a89e1a6d89b030d10f2e7e60efbf5d2b21a905335f6ba79de8908796bfd4df928f398e984e06a86d3023cde783690843871f222432677dd5a848674e

  • SSDEEP

    6144:wQ606xhLK0o+/zqdPCb3m2aOmjpygIb20PM+Drhvnv/6:wK0bqdM2EVbv3hvnH6

Score
10/10
remcosclientcollectionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

CLIENT

C2

107.150.18.202:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-J3QQTH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
        C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe /stext "C:\Users\Admin\AppData\Local\Temp\sukdrulxoiakgejkcox"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:576
      • C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
        C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe /stext "C:\Users\Admin\AppData\Local\Temp\dwpvjnwrcqspqsfwlzkttg"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:1168
      • C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
        C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe /stext "C:\Users\Admin\AppData\Local\Temp\fqugkfgtyykctytadjfvetogj"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\App.ini
    Filesize

    77B

    MD5

    b6426bec11f84c1f71550c69d67350af

    SHA1

    d176738b6178b6808fcc776012b7a9173a7238ae

    SHA256

    55e72cf4659db890eb479be4af56d891d73c877b7588ddfd475393990177fef1

    SHA512

    38180b8da332ec9202c25c9e0b3c528af6227de68ad46b9bdb00289fd1fcd5eb11aca88969f83a1761c2b6beb96262b3a9e2f08fbbce0b4efe7fd3a7ac16730a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\sukdrulxoiakgejkcox
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk
    Filesize

    890B

    MD5

    d3bc8c76f5bff73aec6293ca6c6e9ab1

    SHA1

    2b5e17ec0f2190aeb50e80644357aee1c219daa5

    SHA256

    c6aa00bf0e9f89d5d6a5b3294a50b1c23f8645b6581f7884f58b80db783fc9c7

    SHA512

    93e0ff770b74c924be8e4724c18059f47b77a6f20fc07b9ef3902cb183ab3fd31467bf76b57e05f908e160bfe4e1ecc95d3b8c11d3173371f975399c75fc86ae

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nso2E81.tmp\BgImage.dll
    Filesize

    7KB

    MD5

    9436196007f65f0ae96f64b1c8b2572e

    SHA1

    4b004b5c2865c9450876be83faa8cc96e1d12c01

    SHA256

    286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9

    SHA512

    5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nso2E81.tmp\System.dll
    Filesize

    11KB

    MD5

    8b3830b9dbf87f84ddd3b26645fed3a0

    SHA1

    223bef1f19e644a610a0877d01eadc9e28299509

    SHA256

    f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    SHA512

    d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nso2E81.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    82c3f38cd34739872af07443c65d0bd8

    SHA1

    1f4ee2d394404a291eda6419f856adaf4b960237

    SHA256

    59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311

    SHA512

    3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d

    Download Submit
  • memory/576-65-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/576-83-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/576-66-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/576-70-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/576-63-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/576-67-0x00000000776A0000-0x0000000077849000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1168-69-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1168-72-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1168-75-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1168-68-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1168-87-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1648-76-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1648-74-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1648-73-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1648-71-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1648-77-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/2064-49-0x00000000776A0000-0x0000000077849000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2064-48-0x00000000776A1000-0x00000000777A2000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2624-86-0x0000000000470000-0x00000000014D2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2624-93-0x0000000036F00000-0x0000000036F19000-memory.dmp
    Filesize

    100KB

    Download
  • memory/2624-50-0x00000000776A0000-0x0000000077849000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2624-56-0x0000000000470000-0x00000000014D2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2624-60-0x0000000000470000-0x00000000014D2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2624-62-0x0000000000470000-0x00000000014D2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2624-92-0x0000000036F00000-0x0000000036F19000-memory.dmp
    Filesize

    100KB

    Download
  • memory/2624-52-0x0000000000470000-0x00000000014D2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2624-89-0x0000000036F00000-0x0000000036F19000-memory.dmp
    Filesize

    100KB

    Download
  • memory/2624-94-0x0000000000470000-0x00000000014D2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2624-95-0x0000000000470000-0x00000000014D2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2624-96-0x0000000000470000-0x00000000014D2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2624-97-0x0000000000470000-0x00000000014D2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2624-98-0x0000000000470000-0x00000000014D2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2624-99-0x0000000000470000-0x00000000014D2000-memory.dmp
    Filesize

    16.4MB

    Download