Overview

overview

10

Static

static

3

Deposit 47...ng.exe

windows7-x64

10

Deposit 47...ng.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Deposit 47800 USD.png.exe

  • Size

    903KB

  • MD5

    ede0315b2253c133fb9fb6c32c1b4d24

  • SHA1

    4c11d887e2fa02dd967a4a723f1b92253d738411

  • SHA256

    c4e002e24dc01a9ec412049b3ee298bf7ede32caf604a7a0cf61711d9d3f2bd7

  • SHA512

    a1e105987b844947c448b3b08228368464daa160810fd9cd3100bede7dead786308c6f4da20e21203726795e1b2f21762339b42304a2ee91f417799e4555cb0d

  • SSDEEP

    12288:mznnX1BNRZ9v1H5SutQJ9NNzRF/AIyDQTt+C6UUmcPBUDoD5zluKiS59GmMi1s6X:+BfR5SutmXRFY9rJUUm+BPV4CRTkE

Score
10/10
remcosremotehostdiscoveryexecutionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

103.186.116.111:4440

google-com-site-backup.duckdns.org:4440

103.186.116.111:5656

codingoffensive.duckdns.org:5656
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    ssl

  • mouse_option

    false

  • mutex

    Rmc-XHK5L2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Deposit 47800 USD.png.exe
    "C:\Users\Admin\AppData\Local\Temp\Deposit 47800 USD.png.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Deposit 47800 USD.png.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZldrOZt.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZldrOZt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B17.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:496
    • C:\Users\Admin\AppData\Local\Temp\Deposit 47800 USD.png.exe
      "C:\Users\Admin\AppData\Local\Temp\Deposit 47800 USD.png.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ssl\logs.dat
    Filesize

    144B

    MD5

    69ed151664270ae1a92b8d11e40861e0

    SHA1

    9a172019561722f43a2fb259339f801c1e2da254

    SHA256

    da69d41e4f3f6ef59180267d6b7c0a9d8f0a18a6efdd0401cab4f19615366056

    SHA512

    c2940a773defccc09210ec9f621aac33718e9ad2fe771dde20d9163feb0c4c0a27206c726301b2bdc9355c574c17178f90f8c1f6177886e6839a16dc82d22ec6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9B17.tmp
    Filesize

    1KB

    MD5

    f7c94c1f4ddb31aa69c3892f94328e63

    SHA1

    d9bcfbc562d0fdc5ca961cbf8066e3dafb7f122c

    SHA256

    0ccc62e5c791c7070857dd2c9d82c4aaf5fd592214ac6e0b89934d3131c50da1

    SHA512

    97757b5893957688e35c2dfc89463e71b1fc724fd4837567d73f201e6f9d14b005125c9817d4f87eb450556e8bd06b8b027eb2c799834654c0f185b09bcc11f7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YGACC38L47U65NNVNNF8.temp
    Filesize

    7KB

    MD5

    d46a2e4a0420aa5cefddf8da54110846

    SHA1

    e1e05a05edf4843fbf9d3692bbf9ab00d0a430ef

    SHA256

    b458c36b624007e0ac88fba3e618004380d673626b1430cd8a822f98abab8708

    SHA512

    c5f60cab3271adb64a96f3bb115d9dbf4edf9a98541271e04d06eb490f6c0e51e2f57603f233c5bf7f646e9c62b156e62df3f850402ba3bd78e7a30164d4a023

    Download Submit

  • memory/2312-43-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2312-1-0x00000000012A0000-0x0000000001388000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2312-2-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2312-3-0x0000000000380000-0x0000000000390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2312-4-0x000000007419E000-0x000000007419F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2312-5-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2312-6-0x0000000005F20000-0x0000000005FE0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2312-0-0x000000007419E000-0x000000007419F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-25-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-47-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-38-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-36-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-33-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-42-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-29-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-28-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-37-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-23-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-21-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-31-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-46-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-48-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-41-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-45-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-49-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-51-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-53-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-56-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-57-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-19-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-59-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-71-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-72-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-77-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-80-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-81-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-82-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-89-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-90-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download