Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 14:26

General

  • Target

    Trojan.MSIL.Hanoone.exe

  • Size

    2.1MB

  • MD5

    f3170f0a9fbd0466bac6cf8757d89b70

  • SHA1

    561c35ef1b516e0c28d775b9a50486104d3078a3

  • SHA256

    92c459b677130c62f0a34f1b77f26c098e04212bb56d7906f8aad278d37394cb

  • SHA512

    fcfb2910781a8d2409da48cac8396a40f2aaf54532fa58ad6882cbb7316bfbed3dd4eb0c76f2eca29c00f8ccbd5ffb5c79d1660b539103f76e9fb5193fd27f3a

  • SSDEEP

    24576:uD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPj8/j73AneLKJJ+4M:up7E+QrFUBgq23M

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Hanoone.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Hanoone.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3000

Network

    No results found
  • 213.183.58.19:4000
    sbietrcl.exe
    152 B
    3
  • 213.183.58.19:4000
    sbietrcl.exe
    152 B
    3
  • 213.183.58.19:4000
    sbietrcl.exe
    152 B
    3
  • 213.183.58.19:4000
    sbietrcl.exe
    152 B
    3
  • 213.183.58.19:4000
    sbietrcl.exe
    104 B
    2
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b2d44345af17f167882f1dc8ff2a0d7f

    SHA1

    e53d13b3d2bddaa4854ad9003deaddb5952af17c

    SHA256

    6111adf726d5139f4c1dcb5640a73a1fe0ea02caa3d4a1c1bcd0691409c44873

    SHA512

    b96829c3ac9d982ebe62c6d2019340c015a9d4ce17aedf4a44ee6f5796e273919fcde9734897aba0763c92c5213b1e62e9085ceee08979c53d766d72928b86bc

  • C:\Users\Admin\AppData\Local\Temp\Cab1D8F.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

    Filesize

    2.1MB

    MD5

    e7877ecdad2b3ae78fa3e8b4f261dde9

    SHA1

    6f1dcb05578deb46c3fcb1cd875edc34ae438bbe

    SHA256

    461df8809f8e7c86048edcf2a61f1c0ce6906610a83d569738cabbfd7b242972

    SHA512

    b2182fa224db08c95d67d2143b96cee5946e2f53ff024c05cd34a5f9e00d65d2194bec5821ed7b468d977e1eb542ab9ff1f794e56d8d9a9eb3d60051a5bf6946

  • memory/2280-1-0x00000000744E0000-0x0000000074A8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2280-11-0x00000000744E0000-0x0000000074A8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2280-12-0x00000000744E0000-0x0000000074A8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2280-30-0x00000000744E0000-0x0000000074A8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2280-0-0x00000000744E1000-0x00000000744E2000-memory.dmp

    Filesize

    4KB

  • memory/2648-42-0x00000000744E0000-0x0000000074A8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-64-0x00000000744E0000-0x0000000074A8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-41-0x00000000744E0000-0x0000000074A8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-43-0x00000000744E0000-0x0000000074A8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-31-0x00000000744E0000-0x0000000074A8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-40-0x00000000744E0000-0x0000000074A8B000-memory.dmp

    Filesize

    5.7MB

  • memory/3000-44-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/3000-48-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/3000-50-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/3000-53-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/3000-56-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/3000-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3000-60-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/3000-46-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/3000-63-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/3000-59-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/3000-65-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/3000-66-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/3000-69-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.