Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2024 00:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe
-
Size
9.9MB
-
MD5
29f1032b17157ed6c32afe5941c03ddf
-
SHA1
5c041e94c20cce7d987b1ba523c4a53b718a75e4
-
SHA256
a5a68d1970badfb04025a60c445bc1cdfd8bae3ba5e9d582f9fee45634bf7419
-
SHA512
e19fd153ae2fbf4b0cdc823696502fd49527ca454ab1e6cdc2189464ca0843bcd9d3e2e4770099c7e2e92473dfafaaf8e70fadfb6dcc081fa5b772d75ac3761d
-
SSDEEP
196608:aZpzYZVdl3/sGFKIWN3O8VuYJ/VFWPeEGM:aePRFKIW5NMa/VAjr
Malware Config
Extracted
remcos
ROSALINDA
wedrfidsvijdvbikbdfv.con-ip.com:1661
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-U25YPG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ClipDiary = "C:\\Users\\Admin\\Pictures\\ClipDiary\\ClipDiaryUpdater.exe" 2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4604 2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4148 wrote to memory of 4604 4148 2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe 93 PID 4148 wrote to memory of 4604 4148 2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe 93 PID 4148 wrote to memory of 4604 4148 2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe 93 PID 4148 wrote to memory of 4604 4148 2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe 93 PID 4148 wrote to memory of 4604 4148 2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4604
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request37.56.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request68.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
DNSwedrfidsvijdvbikbdfv.con-ip.com2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exeRemote address:8.8.8.8:53Requestwedrfidsvijdvbikbdfv.con-ip.comIN AResponsewedrfidsvijdvbikbdfv.con-ip.comIN A179.15.149.222
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request222.149.15.179.in-addr.arpaIN PTRResponse222.149.15.179.in-addr.arpaIN PTRDinamic-Tigo-179-15-149-222tigocomco
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
GEThttp://geoplugin.net/json.gp2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exeRemote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 954
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
Remote address:8.8.8.8:53Request50.33.237.178.in-addr.arpaIN PTRResponse50.33.237.178.in-addr.arpaIN CNAME50.32/27.178.237.178.in-addr.arpa
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request130.118.77.104.in-addr.arpaIN PTRResponse130.118.77.104.in-addr.arpaIN PTRa104-77-118-130deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.173.189.20.in-addr.arpaIN PTRResponse
-
179.15.149.222:1661wedrfidsvijdvbikbdfv.con-ip.comtls2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe5.7kB 2.2kB 16 16
-
178.237.33.50:80http://geoplugin.net/json.gphttp2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe623 B 1.3kB 12 3
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
37.56.20.217.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
68.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
8.8.8.8:53wedrfidsvijdvbikbdfv.con-ip.comdns2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe77 B 93 B 1 1
DNS Request
wedrfidsvijdvbikbdfv.con-ip.com
DNS Response
179.15.149.222
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
73 B 126 B 1 1
DNS Request
222.149.15.179.in-addr.arpa
-
8.8.8.8:53geoplugin.netdns2024-09-04_29f1032b17157ed6c32afe5941c03ddf_avoslocker_poet-rat_rhadamanthys.exe59 B 75 B 1 1
DNS Request
geoplugin.net
DNS Response
178.237.33.50
-
72 B 155 B 1 1
DNS Request
50.33.237.178.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
130.118.77.104.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
18.173.189.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD50ef1c280fb80fcadf68bb2c5229408e0
SHA15b0fd2b89350c5cdb3c51f4ec85d7892beac6a90
SHA2568936651e80af662dbd2fd7cd50ca0041da37fcb41730de54a6a61ac65b3ddb7d
SHA512e2f1b71eacd1f72635719c96a94a793c98622efe8ef207987bddba5e0b0fa1a8f90eb841e002fd5d1b3c4db9d9c9d7bdd9fd13fa0b1c95fdd8d01c951c0de5db