Analysis
-
max time kernel
147s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 13:34
Static task
static1
Behavioral task
behavioral1
Sample
eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe
Resource
win10v2004-20240802-en
General
-
Target
eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe
-
Size
1.4MB
-
MD5
2592d02088ef02e13ad5740fd85ceb17
-
SHA1
7abba6c521701ae077d7c29f28c87b44d8411922
-
SHA256
eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6
-
SHA512
50314d33155c066f1cfbb9efac5cfcc9e540c63ff1ccb3c463e6286ee6acac81a09bb1a1b552c2b6243df4ec52aa015ee803900566f1c25f0edfbbe408547310
-
SSDEEP
24576:IqDEvCTbMWu7rQYlBQcBiT6rprG8arcpZttWJ84kzOS:ITvC/MTQYxsWR7arcPu
Malware Config
Extracted
remcos
RemoteHost
ocservice.duckdns.org:6622
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
evferf
-
mouse_option
false
-
mutex
Rmc-5U6QT9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/3440-55-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/3440-61-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/3440-65-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/1232-60-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1232-54-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/460-67-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1232-69-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3440-55-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/3440-61-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/3440-65-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1232-60-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/1232-54-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/1232-69-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs jailkeeper.exe -
Executes dropped EXE 4 IoCs
pid Process 1444 jailkeeper.exe 1232 jailkeeper.exe 3440 jailkeeper.exe 460 jailkeeper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts jailkeeper.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000800000002347f-14.dat autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1444 set thread context of 1232 1444 jailkeeper.exe 93 PID 1444 set thread context of 3440 1444 jailkeeper.exe 94 PID 1444 set thread context of 460 1444 jailkeeper.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jailkeeper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jailkeeper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jailkeeper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jailkeeper.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1232 jailkeeper.exe 1232 jailkeeper.exe 460 jailkeeper.exe 460 jailkeeper.exe 1232 jailkeeper.exe 1232 jailkeeper.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1444 jailkeeper.exe 1444 jailkeeper.exe 1444 jailkeeper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 460 jailkeeper.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 3940 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe 3940 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe 1444 jailkeeper.exe 1444 jailkeeper.exe 1444 jailkeeper.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 3940 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe 3940 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe 1444 jailkeeper.exe 1444 jailkeeper.exe 1444 jailkeeper.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3940 wrote to memory of 1444 3940 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe 87 PID 3940 wrote to memory of 1444 3940 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe 87 PID 3940 wrote to memory of 1444 3940 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe 87 PID 1444 wrote to memory of 1232 1444 jailkeeper.exe 93 PID 1444 wrote to memory of 1232 1444 jailkeeper.exe 93 PID 1444 wrote to memory of 1232 1444 jailkeeper.exe 93 PID 1444 wrote to memory of 1232 1444 jailkeeper.exe 93 PID 1444 wrote to memory of 3440 1444 jailkeeper.exe 94 PID 1444 wrote to memory of 3440 1444 jailkeeper.exe 94 PID 1444 wrote to memory of 3440 1444 jailkeeper.exe 94 PID 1444 wrote to memory of 3440 1444 jailkeeper.exe 94 PID 1444 wrote to memory of 460 1444 jailkeeper.exe 95 PID 1444 wrote to memory of 460 1444 jailkeeper.exe 95 PID 1444 wrote to memory of 460 1444 jailkeeper.exe 95 PID 1444 wrote to memory of 460 1444 jailkeeper.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exeC:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\nebzgqg"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1232
-
-
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exeC:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\qygrgjrpmj"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3440
-
-
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exeC:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\aalchbcrarrqto"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220B
MD5e65adcb111158a3129dc8e5b26617fcb
SHA1fb3147499c5b48d06316724097be13b6db7f534b
SHA2569877f19557465c6cb28e82e582ea7b9f4f67723dfc1e704f18491eaff13c232f
SHA5124d22741ae76497d31de56e99fa7ec5c61e0c85c6b47bb9d9615f97327def4313cd61f2059e805ebd813d9aa1efd6d335318bc0dc80d073837a4473ee30467f4a
-
Filesize
482KB
MD5eb1d1b864ad0ed4efa8d4b52cad77a57
SHA1cf25a5ee400ee35800602403feefe6890750d2b8
SHA2563f05521a0f1414f9f21c8108d479de3dad21e1653a4fa340d1cd7a1c0c6d5388
SHA512ad685f8da8d9fa8d1bd3eadea9d648ccb8c761577bca997dd20d54f8c32805589312d3ff3ca8bcac276762d68478db15a4e02d111876e0be0d200ce191df3155
-
Filesize
4KB
MD516f4f7c4051f4bbdaa93a1ca80690065
SHA1750cacbdd2d089a88119374560d6ac004954e90e
SHA2566c4559e4413cccaeab73cad48ffd804506c95566e4d6a3f5ae64017a33ea6ec2
SHA512cb0f68d393ad03a5c802a2978ff7b12e20911bac5e27200c2df16d5d3f63dfc2387c0cd1a9075d8e4ba9ae804a6b61225575e2f42b3ef024e863d5b172417964
-
Filesize
29KB
MD539f11e09f25827416870bd8fb80dae80
SHA1f2ae6e01c6ea97ec0c8231cb1b1dbcc5bb40b559
SHA25698639412ce9f24682c61415e01b68edc3ad92ef2f2df8c5ec7a9b6c026ae8061
SHA512a0e8a9e8353e0849257baa2b205ffc85ce493a3de0d695164deb7bc50ed3906ceeb089e1ce5dce3e34da29a1544d26ff6b92690d1122e0af65e2351456551596
-
Filesize
1.4MB
MD52592d02088ef02e13ad5740fd85ceb17
SHA17abba6c521701ae077d7c29f28c87b44d8411922
SHA256eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6
SHA51250314d33155c066f1cfbb9efac5cfcc9e540c63ff1ccb3c463e6286ee6acac81a09bb1a1b552c2b6243df4ec52aa015ee803900566f1c25f0edfbbe408547310