Overview

overview

10

Static

static

1

ScreenShot.exe

windows7-x64

10

ScreenShot.exe

windows10-2004-x64

10

altorilievo.ppt

windows7-x64

3

altorilievo.ppt

windows10-2004-x64

1

centenary.app

macos-10.15-amd64

1

madbasic_.dll

windows7-x64

3

madbasic_.dll

windows10-2004-x64

3

maddisAsm_.dll

windows7-x64

3

maddisAsm_.dll

windows10-2004-x64

3

madexcept_.dll

windows7-x64

3

madexcept_.dll

windows10-2004-x64

3

rtl120.dll

windows7-x64

3

rtl120.dll

windows10-2004-x64

3

vcl120.dll

windows7-x64

3

vcl120.dll

windows10-2004-x64

3

vclx120.dll

windows7-x64

3

vclx120.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    27-07-2024 01:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ScreenShot.exe

  • Size

    1.3MB

  • MD5

    6a2cdd8709524999190f4b43a83108c9

  • SHA1

    47b472ca518760552d1e0fa2d2321339dd596471

  • SHA256

    bd0f954149173d3f5766eee5bd78d5f27ea1ea69667da7b3970b0e6154afc85f

  • SHA512

    3b9a50892b7b18480380f69f0eb185b663e82da16064b60a262e9f3181f23ee8510b338eb28af7b961ab555082ffc494cc4fa950610d1991e6d1fa12ba497299

  • SSDEEP

    24576:ToaZhvL2xgUgoJU72/LV5P3bhIqCl1xlaxqBmdq5:Z6xgUgoJUcaqCDxv

Score
10/10
remcoshumadiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

huma

C2

81.19.139.74:4343

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-OMQQOG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ScreenShot.exe
    "C:\Users\Admin\AppData\Local\Temp\ScreenShot.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exe
      C:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ce03a4b1
    Filesize

    1.2MB

    MD5

    707a3ffe3ebd09847daafac77ecb2832

    SHA1

    fd28abb5f004cf3bac8d1c5eabd2c87fd560d115

    SHA256

    e15b325b7575fdf0fd93e2a2c2fc57365423604b783a1fa5856b6656644cd04e

    SHA512

    c5a500ac0751467923aa196875b7b15069dc1de0e0d8813de6072985e5534ff6dcc8140150f543a359c4cb42c69a72f17cfdfe012961ce42e8110871bad00a69

    Download Submit

  • C:\Users\Admin\AppData\Roaming\bj_service_testv4\altorilievo.ppt
    Filesize

    942KB

    MD5

    e540c4fcecd77b819094eee15ced316a

    SHA1

    d45eb272fdf83641c942c0b7c66aa1ae313738a0

    SHA256

    577ddb0c94d3814a044af5a4ff2591f1e59d227ae00b37358427e2de2d80ff3d

    SHA512

    01ae43e96ae17b121f2c44b2c67f8ef66e7e278331d4c27d98206304b3a25d3dc211c3a1e2e2c6de6c342007cb67dcfbd7b6af7eeec5c5af5ad8421472d09c8e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\bj_service_testv4\centenary.app
    Filesize

    29KB

    MD5

    ed5672e9357974fe27faa05c97b9c6ce

    SHA1

    f866486cd73b42d4aedddba71f16cad9d4554fcb

    SHA256

    530f8dbee1036b66a3c77512e216ab0f67779a3640daf2864d1fd8bd7e539c30

    SHA512

    246b0e833f6b081d9a839537039c1b3432501c2d42491cd5feb45e1a82c71e55370532d8854700eea3a335728cb5c4a7a396e6896ff896427a8f95befdf68252

    Download Submit

  • C:\Users\Admin\AppData\Roaming\bj_service_testv4\madBasic_.bpl
    Filesize

    212KB

    MD5

    a734f2428443030c46db9ce3ab2e68a6

    SHA1

    1bf4d3e9b4bf1d801a348f2e46cc9887bae12998

    SHA256

    038511fc64801be03d8472a2f7a6ba8a27e0398cf876be1427c1463cf9190c80

    SHA512

    d829ea13a0d736bee3a788822f5c04e58deff6175da735c25b8031d19e9c3c6bfa40af6882b6e842ba466ba0a5d51c766310491d73261a842334215edf09b699

    Download Submit

  • C:\Users\Admin\AppData\Roaming\bj_service_testv4\madDisAsm_.bpl
    Filesize

    64KB

    MD5

    11efab4068cb4058207959e2638c2c1a

    SHA1

    b1eac0879dcda14bdc0c2efd7f261d7c175208c3

    SHA256

    11e3568f497c40331ee4a9e9973967e61b224e19204e09ed7451da3b74bd2ff5

    SHA512

    ced6167612674232429c25e52ba051994b09fdaeaf3316505904456ef8d7063f2eb03b5a158f0a424f0ecb49673e6a3d6b57d61183c5f8402da3fe53af0bd185

    Download Submit

  • C:\Users\Admin\AppData\Roaming\bj_service_testv4\madExcept_.bpl
    Filesize

    438KB

    MD5

    562ec96d0f65b0309ad7508d0e0ced11

    SHA1

    0fe9dda664f4f8d9ae18603c5a25756710032a6f

    SHA256

    fb64a5954b726d2d0f0bc26113a36dc8a86c469af994ceeaf2e2609743a0a557

    SHA512

    876b82534764b2d156ce64d52771d38f245d330957287773f6b2360f48564b8d4a304449fa6f6400052165aaf433a191af2d3b38b194a9b1e892552dc0805fba

    Download Submit

  • C:\Users\Admin\AppData\Roaming\bj_service_testv4\rtl120.bpl
    Filesize

    1.1MB

    MD5

    e71e48e31ac728a6de7c020645f0c32f

    SHA1

    7f86eadd1b7a0ab87b7ce7c2029bdef3d6fe1d8d

    SHA256

    40a1d1a2f276738f568700ddccac99cdcd35b973fc8be86ab826c0d1abc9d6ff

    SHA512

    5e41dbe7efac8a042a14c2f976d1afcd45e3f7531fb60daab61ac17ffd339d34e1c6746fce9e4b591b026598a89e38f36c6d24e33e2de0b39d81806259f9be2a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\bj_service_testv4\vcl120.bpl
    Filesize

    1.9MB

    MD5

    c8cff500ac30e5ef120ecb00bcdc0ebb

    SHA1

    6dc63844fbc7e9678d8653d715d1f65c8c9f834b

    SHA256

    7867aa9cb994e770c40e5b827d4f689bdc913b3466965b77a2b322d6c526045b

    SHA512

    de393681162c50507f3a54b957c264a25993e28b38ac7f21df9b2ce2eab9177a46e1336a88a5045c75aa66f5e9cf2b5edeef5516225bdd80ed0c01506489e8b0

    Download Submit

  • \Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exe
    Filesize

    1.3MB

    MD5

    6a2cdd8709524999190f4b43a83108c9

    SHA1

    47b472ca518760552d1e0fa2d2321339dd596471

    SHA256

    bd0f954149173d3f5766eee5bd78d5f27ea1ea69667da7b3970b0e6154afc85f

    SHA512

    3b9a50892b7b18480380f69f0eb185b663e82da16064b60a262e9f3181f23ee8510b338eb28af7b961ab555082ffc494cc4fa950610d1991e6d1fa12ba497299

    Download Submit

  • \Users\Admin\AppData\Roaming\bj_service_testv4\vclx120.bpl
    Filesize

    223KB

    MD5

    8aaa3926885b3fa7ae0448f5e700cb79

    SHA1

    47bd7d281ddde5ebef8599482212743bf2f7e67b

    SHA256

    47396c301fbe78bfaf9e344936a0f7a4e6d174c096f847e160d822e48012162d

    SHA512

    86d395ca89ec2a988f035ecb32640ddac99247e2568673246388fe310e8c3a44807049e8f3482fae86c453d5e3529a8f2daf8614a1086b6d979e64fd917bbe3a

    Download Submit

  • memory/1888-32-0x0000000050120000-0x000000005030D000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1888-31-0x0000000057000000-0x000000005703F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1888-29-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1888-35-0x0000000050310000-0x0000000050349000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1888-1-0x0000000077640000-0x00000000777E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1888-34-0x0000000057800000-0x0000000057812000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1888-16-0x0000000000400000-0x000000000058B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1888-33-0x0000000059800000-0x000000005986E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1888-0-0x0000000074AF0000-0x0000000074C64000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2300-115-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2300-114-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2300-106-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2300-113-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2300-112-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2300-116-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2300-111-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2300-110-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2300-109-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2300-108-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2300-107-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2300-102-0x0000000077640000-0x00000000777E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2300-103-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2432-38-0x0000000074B02000-0x0000000074B04000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2432-43-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2432-40-0x0000000074AF0000-0x0000000074C64000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2432-39-0x0000000074AF0000-0x0000000074C64000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2432-37-0x0000000077640000-0x00000000777E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2432-36-0x0000000074AF0000-0x0000000074C64000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2816-101-0x0000000074AF0000-0x0000000074C64000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2816-99-0x0000000074AF0000-0x0000000074C64000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2816-98-0x0000000074AF0000-0x0000000074C64000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2816-51-0x0000000077640000-0x00000000777E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2816-49-0x0000000074AF0000-0x0000000074C64000-memory.dmp

    Filesize

    1.5MB

    Download