Overview

overview

10

Static

static

1

Setup.exe

windows7-x64

10

Setup.exe

windows10-1703-x64

10

datastate.dll

windows7-x64

1

datastate.dll

windows10-1703-x64

3

madbasic_.dll

windows7-x64

1

madbasic_.dll

windows10-1703-x64

1

maddisAsm_.dll

windows7-x64

1

maddisAsm_.dll

windows10-1703-x64

1

madexcept_.dll

windows7-x64

1

madexcept_.dll

windows10-1703-x64

1

rtl120.dll

windows7-x64

1

rtl120.dll

windows10-1703-x64

1

sqlite3.dll

windows7-x64

3

sqlite3.dll

windows10-1703-x64

3

vcl120.dll

windows7-x64

1

vcl120.dll

windows10-1703-x64

1

vclx120.dll

windows7-x64

3

vclx120.dll

windows10-1703-x64

3

Resubmissions

19-07-2024 19:18

240719-x1c57azane 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    crowdstrike-hotfix.zip

  • Size

    3.9MB

  • Sample

    240719-x1c57azane

  • MD5

    1e84736efce206dc973acbc16540d3e5

  • SHA1

    fef212ec979f2fe2f48641160aadeb86b83f7b35

  • SHA256

    c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2

  • SHA512

    fa549420066ff538b5d6d17ca5be0bd1edabca3699a659fd43522f2ba4836fce3bf4dc4bcbdfa22c45baddc603ed2294901310f991bf7b3e4338002a9c27b874

  • SSDEEP

    98304:D7FFh0ObjLP706bh7a5Keyv0X5kWgrYhpz9mMZyz:DXf/bhYaYkFshpz9/yz

Score
10/10
hawkeyeremcosfudstubkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

fudstub

C2

213.5.130.58:443

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Crashreport

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-0H4R64

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Setup.exe

    • Size

      2.0MB

    • MD5

      371c165e3e3c1a000051b78d7b0e7e79

    • SHA1

      2a2ecbbd4840c486b3507a18307369336ec5a1aa

    • SHA256

      5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9

    • SHA512

      4e6bd3f85c71a8ff0db1e92675295d5bbd0ee8cf24d4df4150a922e9c25fa1f7116263ac4e55c9a9420416fd0388db593c1fe43d22d0a8d25caa20eeb13f5080

    • SSDEEP

      24576:fsLSdP5XOFS5DbCVVtBF8SIIa0awy+qW5M8hbGY7WVaQX/VjjFD7YpmTfWD3B7jn:ELmVOFUK1JIIa0awN5d7WVaQX1T+z9D

    Score
    10/10
    remcosfudstubrathawkeyekeyloggerspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      datastate.dll

    • Size

      75KB

    • MD5

      28f0ccf746f952f94ff434ca989b7814

    • SHA1

      506e85d2de6377492d90b98aa20663b0ff3ce32a

    • SHA256

      6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2

    • SHA512

      b74ebb9a12079caf7bc074bb977ee94dc6ffcae845c1120026f384953fe2499d4bb0cdb7b6dcb2ff7f37e8135db06048815cc13d1837235eb11fe86e3c4572ee

    • SSDEEP

      768:BdPmXHrMcRkZrVlqE6BI6TalNPzrrSRTy3IXGX8prYXDRMMUKkVp4VdEhahE:r+XrMzriE6BorrJIXJpCRM7fVp4c

    Score
    3/10
    behavioral3behavioral4

    • Target

      madbasic_.bpl

    • Size

      209KB

    • MD5

      da03ebd2a8448f53d1bd9e16fc903168

    • SHA1

      889b4f487d8bba6af6ff6eb7f5afd74957586c49

    • SHA256

      d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea

    • SHA512

      0ddabef35bb786e29db15c1b85ac0dca740c0e8df133f67da0ea0ac3bcb3b0ee3f055bb348a4f6f32638f03ec1ad0fb1737d6c2928cb6e6e39e91567e27fade2

    • SSDEEP

      6144:BN/IpSQxE6qeM/k4qTl5L5e5+53WCG1C8FKFlf1:2qeM/k4qR5L5e5+53WNYH1

    Score
    1/10
    behavioral5behavioral6

    • Target

      maddisAsm_.bpl

    • Size

      61KB

    • MD5

      84bc072f8ea30746f0982afbda3c638f

    • SHA1

      f39343933ff3fc7934814d6d3b7b098bc92540a0

    • SHA256

      52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006

    • SHA512

      6e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5

    • SSDEEP

      768:RhaUyLDjc8SqMhnJ/zq0siFsjB5mYdWtC16+C+024bQJu0D3BIBo1w4Kv57dbhrC:RNy3eqMne0sXB0IWtCLwEJhY0w1SD

    Score
    1/10
    behavioral7behavioral8

    • Target

      madexcept_.bpl

    • Size

      435KB

    • MD5

      21068dfd733435c866312d35b9432733

    • SHA1

      3d5336c676d3dd94500d0d2fe853b9de457f10fd

    • SHA256

      835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299

    • SHA512

      54664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7

    • SSDEEP

      6144:mlAz49EKhEV30F8sl88nTjQ4Q50gEcW/jd+o72niVUNMa4Yn2c:mlG4ut30F8slzYlQcW/jd++2nJ6u2c

    Score
    1/10
    behavioral10behavioral9

    • Target

      rtl120.bpl

    • Size

      1.1MB

    • MD5

      630991830afe0b969bd0995e697ab16e

    • SHA1

      feda243d83fba15b23d654513dc1f0d70787ba18

    • SHA256

      b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3

    • SHA512

      2f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692

    • SSDEEP

      24576:ebhz5FWbA1msvIRzM7Rk5JZzSQ4+Is2D9Tx0gbo5:l2hTKgbo5

    Score
    1/10
    behavioral11behavioral12

    • Target

      sqlite3.dll

    • Size

      904KB

    • MD5

      9d255e04106ba7dcbd0bcb549e9a5a4e

    • SHA1

      a9becb85b181c37ee5a940e149754c1912a901f1

    • SHA256

      02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5

    • SHA512

      54c54787a4ca8643271169be403069bc5f1e319a55d6a0ebd84fb0d96f6e9bddc52b0908541d29db04a042b531abd6c05073e27b0b2753196e0055b8b8200b09

    • SSDEEP

      24576:rRxNAQB74x0FwTuis6eCwjH+SW61zf/AD:ra+syis/LjH+S31E

    Score
    3/10
    behavioral13behavioral14

    • Target

      vcl120.bpl

    • Size

      1.9MB

    • MD5

      849070ebd34cbaedc525599d6c3f8914

    • SHA1

      b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa

    • SHA256

      b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628

    • SHA512

      f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb

    • SSDEEP

      24576:L2gt8PRUMggrgN/5tWw+eNVEXZB5SOCwhuuYY8RPyS9YEPI5yz6T:LRSf0Ww+NpPSyzYY8c8YEPI4+T

    Score
    1/10
    behavioral15behavioral16

    • Target

      vclx120.bpl

    • Size

      220KB

    • MD5

      7daa2b7fe529b45101a399b5ebf0a416

    • SHA1

      fd73f3561d0cebe341a6c380681fb08841fa5ce6

    • SHA256

      2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed

    • SHA512

      8e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96

    • SSDEEP

      3072:F4af8kXL6nX0YXjvkWQ5vYhbNkWPFOEJ8YZbjeTl0Y25zFgYBzRKy6sB65avEtAt:Oaf8kLWL7Xov8bNxdOmrfgYmHA6I

    Score
    3/10
    behavioral17behavioral18

MITRE ATT&CK Enterprise v15

Tasks