Overview

overview

10

Static

static

10

133359336e...96.exe

windows10-2004-x64

7

system.pyc

windows10-2004-x64

3

15b2fa0131...aa.zip

windows10-2004-x64

1

IMHttpComm.dll

windows10-2004-x64

3

ImLookExU.dll

windows10-2004-x64

1

ImLookU.dll

windows10-2004-x64

3

ImNtUtilU.dll

windows10-2004-x64

3

ImPackr.exe

windows10-2004-x64

7

ImUtilsU.dll

windows10-2004-x64

3

ImWrappU.dll

windows10-2004-x64

1

Microsoft....nifest

windows10-2004-x64

3

Microsoft....nifest

windows10-2004-x64

3

SftTree_IX86_U_60.dll

windows10-2004-x64

1

chamiso.sql

windows10-2004-x64

3

mfc80u.dll

windows10-2004-x64

1

msvcp80.dll

windows10-2004-x64

1

msvcr80.dll

windows10-2004-x64

1

torpor.zip

windows10-2004-x64

1

wlessfp1.dll

windows10-2004-x64

3

1dcf0f609f...f9.exe

windows10-2004-x64

5

b76a896c8f...f7.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    782024873acccdceacf0b83fe535efbae1cf84a595c894c25ff014a52d567bfb.zip

  • Size

    13.3MB

  • Sample

    240627-kdq3batgpk

  • MD5

    775159e408b499e7eaa1ee7983e01ed2

  • SHA1

    3d289d6db489086b04949b633aec9508ebec13fc

  • SHA256

    782024873acccdceacf0b83fe535efbae1cf84a595c894c25ff014a52d567bfb

  • SHA512

    0335a8b515887c5c1570daee4bc5619b51382d1aebfe46adb998db320e97aae769bb91a0a1928d4f282861ef9a1b461526200fd31ce954ed8997954f2b8d99d5

  • SSDEEP

    393216:vTHSy/92wsnKXxP70hS4sfUGudfhYklnRyofBQ1p:LHASJIc4sc/dfhYkZJQL

Score
10/10
remcosbanksypersistenceprivilege_escalationpyinstaller

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

banksy

C2

62.102.148.166:3319

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    egsy

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_rpklfmytvo

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      133359336ed60b94e9cd500fb518a72fe8711c4a8f8fc83ef2cc242173d8cb96.exe

    • Size

      7.8MB

    • MD5

      e920056a531d4a0635ba526fabeda4ce

    • SHA1

      bee8a694a582fa559654d371ce81f9091f13e68c

    • SHA256

      133359336ed60b94e9cd500fb518a72fe8711c4a8f8fc83ef2cc242173d8cb96

    • SHA512

      645ee72f4b354f695daa35cabc124acd1c5db2ad423f8a6f7bc9fefdfa1a30ef4f7238e83565f10a0924ed6462a4304b60ee051c295e6df5b39a6661ad0ec086

    • SSDEEP

      196608:qBqD8pA1HeT39IigQd++vvKub75bcjWgbkzfQAkj0WlT:58C1+TtIiLdNvvB5IjWqkze

    Score
    7/10

    • Loads dropped DLL

    behavioral1

    • Target

      system.pyc

    • Size

      11KB

    • MD5

      6d81ae0a91bf972a3955156a943b2377

    • SHA1

      eaa6649ec426475bd376b5c9c16708d60e7e8a58

    • SHA256

      99416300b3a6b4c6e635d238ac19a5d8b37b99ae992606138aade1107489eadc

    • SHA512

      86d1f44d67be83472dd50c87f7ba56590136e65ce56bca9d36bce4964502c3ce5033f1ab4145976b4ad1db72c0ceb5b04e92be9b875f968083aea813cffa179d

    • SSDEEP

      192:o6MA39zo1ap8wpZQtqI4oXTg6oFhaF6ZgL/ydw3Y6tn9+ee18sNOUoeCYv2WS:FzrlWD+QF62yqNrte18MaYeWS

    Score
    3/10
    behavioral2

    • Target

      15b2fa0131427a7fbffe42ce83f36357661772faa0381e6ab8ef21a81c6380aa.zip

    • Size

      2.9MB

    • MD5

      172132ed63ed09ab68ff20a40ccd7ba6

    • SHA1

      82d4c78f35073536f5cdb2ad149384c78f538109

    • SHA256

      15b2fa0131427a7fbffe42ce83f36357661772faa0381e6ab8ef21a81c6380aa

    • SHA512

      6b120ec1c7847b2fc360b46f0f0d09b5e4b1c5140357a2abae36466edaea7043a22eb0624388bab2f7f3a9cbfb2cc7e83ebb37abc2439b2ceac5f64e3e3adbc9

    • SSDEEP

      49152:MUVcxzJXhKUT1Wyu3+shqJW2fKPxT8/76BKNwNZrlC5xfmwLIggKk:9cphhKcrshqJ3oThsYrMmwcgbk

    Score
    1/10
    behavioral3

    • Target

      IMHttpComm.dll

    • Size

      32KB

    • MD5

      a70d91a9fd7b65baa0355ee559098bd8

    • SHA1

      546127579c06ae0ae4f63f216da422065a859e2f

    • SHA256

      96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a

    • SHA512

      f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa

    • SSDEEP

      384:UYacYCuDAIKaDEsdpRPcWzXKNfdZ1uTslWfXLhxyM8OjrsVIObsU25hoe1nYPLMt:Scr9/i1AscZ1wf7h4bOjKRsIe1

    Score
    3/10
    behavioral4

    • Target

      ImLookExU.dll

    • Size

      262KB

    • MD5

      c3d6a629966b2de0ac954c0c75847f59

    • SHA1

      8109256492cb3a2a38a6587b7e1145c58e078769

    • SHA256

      0e469f31a8399483862231a0fe5b78bf90a7df4ac5c0470ae79adc33e4a42d10

    • SHA512

      c80f718baa86aa05a566b8b5f8087a9f32703ef8f00ded809e0a2d74e94604b4b524989d953e26b9752e02fe2601ebe6527ef03384f6368ff6e5dca289a857e0

    • SSDEEP

      6144:9X6yu38mY4o8xnZSYDI7jlFl4oYVFl4OgqAIwMr5s:9X6yhmY4pZSYkvl4/NwU5s

    Score
    1/10
    behavioral5

    • Target

      ImLookU.dll

    • Size

      606KB

    • MD5

      3ea6d805a18715f7368363dea3cd3f4c

    • SHA1

      30ffafc1dd447172fa91404f07038d759c412464

    • SHA256

      a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d

    • SHA512

      a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070

    • SSDEEP

      6144:5hvkhcT5e0HWJ5/10UfCrXCL12gQhYwtHWDEyF0nb6rFBvJ+sbJeDH+8uGh7xgLX:5hvkhcTd2JxXCrS85h0Dh0nMKbz45

    Score
    3/10
    behavioral6

    • Target

      ImNtUtilU.dll

    • Size

      94KB

    • MD5

      bb326fe795e2c1c19cd79f320e169fd3

    • SHA1

      1c1f2b8d98f01870455712e6eba26d77753adcac

    • SHA256

      a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7

    • SHA512

      a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1

    • SSDEEP

      1536:q01U2obLeNvXXZ6Wb/2LamjMkUYCTSZaKAxvSJKRDOAG921:NobLeNvXp6Ou+mjMkUYC2ZVAxxFOAG9s

    Score
    3/10
    behavioral7

    • Target

      ImPackr.exe

    • Size

      102KB

    • MD5

      2f779ac4318fd4990c828f60d16f2b17

    • SHA1

      a188080158f8cdfe5050d6e828fb69e17ac0be19

    • SHA256

      689951b03517f77b6c04bb57f604f50736dc1a86b87253b0dee73722d4520a11

    • SHA512

      7f6dc79ab6db4615bb0c7b31d36cc8750373f9b7c199bfaa8e1eff9dbd6f0b790fe7e4c9dc86b62abb811d93e946e68ddc171701bddba423079447124ca6464c

    • SSDEEP

      1536:BdPnjwBj/h13T5KRy8DiliMz+WPSC0mJcSs93k0TmOTWAnBchQlQICRXRXYu:BdPjwRrdoirza7C0iOPchc6Np

    Score
    7/10
    persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      ImUtilsU.dll

    • Size

      1.4MB

    • MD5

      a7eaba8bc12b2b7ec2a41a4d9e45008a

    • SHA1

      6a96a18bb4f1cd6196517713ed634f37f6b0362b

    • SHA256

      914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a

    • SHA512

      0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8

    • SSDEEP

      24576:2EQirQajY+S5eqyL9dj7GP4a6xKlnNYndIA1HVtFyC0Glqb6WUOQZljMFbDG0:fQj+S5epJl7+eenN5+HVDD0bUOQPUbDP

    Score
    3/10
    behavioral9

    • Target

      ImWrappU.dll

    • Size

      158KB

    • MD5

      cbf4827a5920a5f02c50f78ed46d0319

    • SHA1

      b035770e9d9283c61f8f8bbc041e3add0197de7b

    • SHA256

      7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce

    • SHA512

      d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5

    • SSDEEP

      1536:+Vcm093l7KjJdwXjCsZ+WymDAZZxgbgROgldJ+VEcn75A:+Vcm03ggjCsZDym6Og5+Vpm

    Score
    1/10
    behavioral10

    • Target

      Microsoft.VC80.CRT.manifest

    • Size

      1KB

    • MD5

      541423a06efdcd4e4554c719061f82cf

    • SHA1

      2e12c6df7352c3ed3c61a45baf68eace1cc9546e

    • SHA256

      17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5

    • SHA512

      11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6

    Score
    3/10
    behavioral11

    • Target

      Microsoft.VC80.MFC.manifest

    • Size

      2KB

    • MD5

      97b859f11538bbe20f17dfb9c0979a1c

    • SHA1

      2593ad721d7be3821fd0b40611a467db97be8547

    • SHA256

      4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36

    • SHA512

      905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541

    Score
    3/10
    behavioral12

    • Target

      SftTree_IX86_U_60.dll

    • Size

      570KB

    • MD5

      57bf106e5ec51b703b83b69a402dc39f

    • SHA1

      bd4cfab7c50318607326504cc877c0bc84ef56ef

    • SHA256

      24f2399fc83198ab8d63ee6a1ad6ffbd1eda4d38048d3e809fecd2a3e0709671

    • SHA512

      8bf60649ece6bbb66c7b94ed0d9214fbeab030d5813e1e7b5d6d2349ee1de9075b7dfbbbbeae5af0dc21b071a00eafce0771ca1804e6752e9a71e71e6b1447df

    • SSDEEP

      6144:+F1oCaK7hWLMxQqTxNEaPe/cq0sJBJYzlRtcChgWPQnjLkV3Ij9DvAmintVM:koxK7hhNN1m/cq0sJ/YzNcCj0oVy8Y

    Score
    1/10
    behavioral13

    • Target

      chamiso.sql

    • Size

      36KB

    • MD5

      6bcc249ad4d750689bf56ca9467b4d06

    • SHA1

      ac6af58e8b556f5c9b35c787b204172a949ee9f3

    • SHA256

      205643214e81608a874ea9ce959437cbeae2ca1f92221a113a2aaa2e3802e277

    • SHA512

      5e6bfb766c80e4a6929c0eadec50874c224b335ff2f7d6ced2e24df62a1fe6e3d523389e2429ccec7f9f90174960185529adcae2af330b3076875577855644ea

    • SSDEEP

      768:fqFb2tZmbtBW+XJEEWisWlfBPWZbH2kBN:iFKtZwWgQWLWZbWkz

    Score
    3/10
    behavioral14

    • Target

      mfc80u.dll

    • Size

      1.0MB

    • MD5

      ccc2e312486ae6b80970211da472268b

    • SHA1

      025b52ff11627760f7006510e9a521b554230fee

    • SHA256

      18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a

    • SHA512

      d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

    • SSDEEP

      12288:o5lk6KUYmYRP6vAt9+J51r64f22JhPeEiz8F+p/xoOTa+S9XqNNw2ohW3:UyUaP64t9+JfrRJiz8F+p/N2/cmW

    Score
    1/10
    behavioral15

    • Target

      msvcp80.dll

    • Size

      536KB

    • MD5

      4c8a880eabc0b4d462cc4b2472116ea1

    • SHA1

      d0a27f553c0fe0e507c7df079485b601d5b592e6

    • SHA256

      2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

    • SHA512

      6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

    • SSDEEP

      12288:Q1HyurvZ0JPjuTtSu86th1n/hUgiW6QR7t5j3Ooc8NHkC2eo:Q1HyurvZ0liTwuhtjnj3Ooc8NHkC2eo

    Score
    1/10
    behavioral16

    • Target

      msvcr80.dll

    • Size

      612KB

    • MD5

      e4fece18310e23b1d8fee993e35e7a6f

    • SHA1

      9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

    • SHA256

      02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

    • SHA512

      2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

    • SSDEEP

      12288:6Fqi2VC1J7Zs7a5zchr46CIfsyZmGyYCqeC:6Ui2C1JdoiEdmGyYu

    Score
    1/10
    behavioral17

    • Target

      torpor.zip

    • Size

      683KB

    • MD5

      9dfcb15cd9862cb14ac2f9e8d02fa01c

    • SHA1

      3c36b604a8fc07b1a2fd66af80b12b7d27de9c81

    • SHA256

      50872668c0884f57196445492613bb9c3989908072ff765566b43f78464f50fe

    • SHA512

      e819c32d2a6d54e37035d62226dc0d1bb779183f3aeb2566d90b15f792a47b07456aa0c0ad18841d3ccb39a54ea6e7f4c5ea82f8fe0be32b9e5c318e02f086fa

    • SSDEEP

      12288:iJvnANsNeIIRnEte6rfxde1IiIi2jYEFxFEVDIGRpfqTEeOPfbFJtwaiCi:TNsNeIq0bdUIJMEiV1pSo/fRDGCi

    Score
    1/10
    behavioral18

    • Target

      wlessfp1.dll

    • Size

      70KB

    • MD5

      5120c44f241a12a3d5a3e87856477c13

    • SHA1

      cd8a6ef728c48e17d570c8dc582ec49e17104f6d

    • SHA256

      fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c

    • SHA512

      67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1

    • SSDEEP

      1536:nEqYKdOEuqRKXd9ZWbIOinToIfYeyOgtPko:EqnB89ZouTBf5yOgtPko

    Score
    3/10
    behavioral19

    • Target

      1dcf0f609f8e6867fe4a7b49c97d5674fefe7a64fdb82de1fd819a3b96a8d8f9.exe

    • Size

      4.2MB

    • MD5

      df8bc20d6d4c7e66a8d0b2fb75e2cb99

    • SHA1

      5b0a5995d233907e802ce289c5433e7b416969a7

    • SHA256

      1dcf0f609f8e6867fe4a7b49c97d5674fefe7a64fdb82de1fd819a3b96a8d8f9

    • SHA512

      7d6ac3b5afb3babc0ff8d807a0c4f6b2c314e841b30b1f8fb734b573f001c7c41a19fe69c8457ba9f35a5ead78de11e65d9a59d3142cc41d1c3ba91d7917b00a

    • SSDEEP

      49152:RVfDv2Ukn4dghWFiOPGgHGZZSLO3THkCouaUq8c3Fn7t62TpBPuVlVYZwDqMLUs9:RVfDv1kn8gvid9t6O/4lW6XLUszv0AZ

    Score
    5/10

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7.exe

    • Size

      92KB

    • MD5

      caad5e1ae920d351c2521be2dc5f22fc

    • SHA1

      387312f70d7bd53a4ab5a779a38d125d731323cc

    • SHA256

      b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7

    • SHA512

      208d29b51865c4d42e7bd75f291f0601f1513073fc9d85f898e04a9a8e88d1e1956f0120bdcab7ede2186901fe025ada9ad407ab3aeb6aadbb910cef960cc052

    • SSDEEP

      1536:IhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP66rA:OhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+q

    Score
    1/10
    behavioral21

MITRE ATT&CK Enterprise v15

Tasks