Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02-09-2024 09:20
General
-
Target
SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exe
-
Size
953KB
-
MD5
e7da9da76702fefa71e67e7c2d67eb70
-
SHA1
c97603e9070393fa9bb56e8674512cde49bfe444
-
SHA256
84bb8bba33e1a515260b02421d72da6ad0d685d432c64c572a230337dca28c54
-
SHA512
37a6f8be2cc4835a4bb15d5e4f86d1c9390cb94480642dfee08210640e679d694a8031fbd68d8ec1b84f8d4ff01ad33794562ec1456c262a4d10bc4fd483fd4c
-
SSDEEP
24576:B0R6OKfNjIxTUYFb5rTGx+Up4/r6HOzHEEg5d:eGfqV5t5rKTa/9HEV
Malware Config
Extracted
remcos
blvinc
blv23728.ddns.net:1973
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-NGC4XU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exe /stext "C:\Users\Admin\AppData\Local\Temp\qpnklhltjcqcaeoerfs"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exe /stext "C:\Users\Admin\AppData\Local\Temp\qpnklhltjcqcaeoerfs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exe /stext "C:\Users\Admin\AppData\Local\Temp\srscmavuxkigdkkiipnzhll"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exe /stext "C:\Users\Admin\AppData\Local\Temp\dmxnnsgolsatnryuraztkygdqk"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5eaea255afedabe89ee6fa005770c4456
SHA163f41c340f3477a15a80c90a5339af4ab9f7675b
SHA256e74bd062be1f23c08f7cacdf015d9d9298484a58355cb75bccb62acc9f08d964
SHA5120661d42ae66970d1c9cc9744157385d5ad791767fba7169fb7a472a3ec996629fa3687df44a8e652313174f8b620fbea966b730e6be366e38981113d8185ec1e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5ea01dd92b15d2f570f6b167dad2d1fd0
SHA17b89141d4c3eb2f29d096f28a9bfe66eb006224a
SHA2560515f49138d74283f9ac1042fd1a384f715b74c2b99193454dbb0cd585097727
SHA5120e7695aea30250a41829fa4abb681b8c3ed4c0955e18f1f9f3a5456bfb3a76f016f538e557bf29b99ab6ab48c846f9fa3c4bccd8cb5fe73099a81b5946029ec8
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
768KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
6.2MB
-
Filesize
68KB
-
Filesize
200KB
-
Filesize
600KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB