Analysis

  • max time kernel
    136s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 12:35

General

  • Target

    Godaddy Checker Cracked/data/log.exe

  • Size

    92KB

  • MD5

    4daae6c7d8deeb9c398da69c722d5dfa

  • SHA1

    fe3c3cdbc61ec00584f7d6ebdf0cae27e013c6b0

  • SHA256

    690e5292cdbff69ed08e971ebb61261a4f0a9e2483aacb93b675f5ac3826ac06

  • SHA512

    00ef31e6161741e427bda90457e9c6e192886637087278eac6b59872e3327a919b3a197ab40f9d367ca1651d10130ec9a267c772abf4d1e0b9c3e111b818148a

  • SSDEEP

    1536:ohhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6ArO:uhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+a

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

vshield.publicvm.com:5151

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    chrome.exe

  • copy_folder

    Google Chrome

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Google Chrome

  • keylog_path

    %AppData%

  • mouse_option

    true

  • mutex

    remcos_ykhychcufk

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    chrome

  • take_screenshot_option

    true

  • take_screenshot_time

    5

  • take_screenshot_title

    paypal;amazon;nulled.to;cracked.to;ebay;blockchain;coinbase

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Godaddy Checker Cracked\data\log.exe
    "C:\Users\Admin\AppData\Local\Temp\Godaddy Checker Cracked\data\log.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Adds policy Run key to start application
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies WinLogon
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Windows\SysWOW64\PING.EXE
        PING 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3688
      • C:\Users\Admin\AppData\Roaming\Google Chrome\chrome.exe
        "C:\Users\Admin\AppData\Roaming\Google Chrome\chrome.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies WinLogon
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2732

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    vshield.publicvm.com
    chrome.exe
    Remote address:
    8.8.8.8:53
    Request
    vshield.publicvm.com
    IN A
    Response
    vshield.publicvm.com
    IN CNAME
    publicvm.com
    publicvm.com
    IN A
    139.99.66.103
  • flag-us
    DNS
    136.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    vshield.publicvm.com
    chrome.exe
    Remote address:
    8.8.8.8:53
    Request
    vshield.publicvm.com
    IN A
    Response
    vshield.publicvm.com
    IN CNAME
    publicvm.com
    publicvm.com
    IN A
    139.99.66.103
  • 139.99.66.103:5151
    vshield.publicvm.com
    chrome.exe
    260 B
    5
  • 139.99.66.103:5151
    vshield.publicvm.com
    chrome.exe
    260 B
    5
  • 139.99.66.103:5151
    vshield.publicvm.com
    chrome.exe
    260 B
    5
  • 139.99.66.103:5151
    vshield.publicvm.com
    chrome.exe
    260 B
    5
  • 139.99.66.103:5151
    vshield.publicvm.com
    chrome.exe
    260 B
    5
  • 139.99.66.103:5151
    vshield.publicvm.com
    chrome.exe
    260 B
    5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    vshield.publicvm.com
    dns
    chrome.exe
    66 B
    96 B
    1
    1

    DNS Request

    vshield.publicvm.com

    DNS Response

    139.99.66.103

  • 8.8.8.8:53
    136.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    136.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    292 B
    144 B
    4
    1

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    56.126.166.20.in-addr.arpa

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    284 B
    157 B
    4
    1

    DNS Request

    13.86.106.20.in-addr.arpa

    DNS Request

    13.86.106.20.in-addr.arpa

    DNS Request

    13.86.106.20.in-addr.arpa

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    365 B
    5

    DNS Request

    149.220.183.52.in-addr.arpa

    DNS Request

    149.220.183.52.in-addr.arpa

    DNS Request

    149.220.183.52.in-addr.arpa

    DNS Request

    149.220.183.52.in-addr.arpa

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    360 B
    158 B
    5
    1

    DNS Request

    43.229.111.52.in-addr.arpa

    DNS Request

    43.229.111.52.in-addr.arpa

    DNS Request

    43.229.111.52.in-addr.arpa

    DNS Request

    43.229.111.52.in-addr.arpa

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    296 B
    128 B
    4
    1

    DNS Request

    172.210.232.199.in-addr.arpa

    DNS Request

    172.210.232.199.in-addr.arpa

    DNS Request

    172.210.232.199.in-addr.arpa

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    vshield.publicvm.com
    dns
    chrome.exe
    66 B
    96 B
    1
    1

    DNS Request

    vshield.publicvm.com

    DNS Response

    139.99.66.103

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.bat

    Filesize

    106B

    MD5

    e4f4700738e33258cdbee476f5675217

    SHA1

    23644b39aa13334e1edab2632a0b78d41dcc42a4

    SHA256

    9636ee8e98fd8636f12714bfb323f3d1010d18dae6dbbba86766e1711348243c

    SHA512

    02c424ab221a85fc1ddcfc5137c10b6317b732cab63e993cd70d9f28b3e6df9dd9a3493f2ce146bf672be002b627b1c1a57cfd5ba9162db68c8f6f219adab5f6

  • C:\Users\Admin\AppData\Roaming\Google Chrome\chrome.exe

    Filesize

    92KB

    MD5

    4daae6c7d8deeb9c398da69c722d5dfa

    SHA1

    fe3c3cdbc61ec00584f7d6ebdf0cae27e013c6b0

    SHA256

    690e5292cdbff69ed08e971ebb61261a4f0a9e2483aacb93b675f5ac3826ac06

    SHA512

    00ef31e6161741e427bda90457e9c6e192886637087278eac6b59872e3327a919b3a197ab40f9d367ca1651d10130ec9a267c772abf4d1e0b9c3e111b818148a

  • C:\Users\Admin\AppData\Roaming\Screens\2.png

    Filesize

    425KB

    MD5

    deeb9c0701451108a9287c086670769f

    SHA1

    6d16aad8d75e4425009d208657b9bf0f2bdae7cf

    SHA256

    c8e1e903bc807429d64336bd4d7b05271c6110143b586de0da65d61c7f5d172f

    SHA512

    3e9b23cf50486dee403cb703bb7efbeb3cf083b2439bb2fd62b57416c2e0a63e879f5e598b2b60353149a8d5e034db7e847f8a607d1c83c175c0d2a169472f7a

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.