Overview

overview

10

Static

static

10

download1.exe

windows7-x64

9

download1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    download1.exe

  • Size

    483KB

  • MD5

    b0b179cb58814287051a3933455c382e

  • SHA1

    23bb06299fe32cc15786f9b79c22e5d7af50802a

  • SHA256

    997371c951144335618b3c5f4608afebf7688a58b6a95cdc71f237f2a7cc56a2

  • SHA512

    6c0c6fbd544517b05e17cdd15e64698df5683b51a9fc79dfe51e18c62202d2d45626ba41e6c9b7b7ae507ce474c948f501971815afa6accc81b4268afafb11c9

  • SSDEEP

    6144:RTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4crgWT4:RTlrYw1RUh3NFn+N5WfIQIjbs/ZmgT4

Score
10/10
remcosremotehostcollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro:6845

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    notpad0

  • keylog_path

    %Temp%

  • mouse_option

    false

  • mutex

    Rmc-EPF38I

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 10 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\download1.exe
    "C:\Users\Admin\AppData\Local\Temp\download1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Users\Admin\AppData\Local\Temp\download1.exe
      C:\Users\Admin\AppData\Local\Temp\download1.exe /stext "C:\Users\Admin\AppData\Local\Temp\zjnt"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4368
    • C:\Users\Admin\AppData\Local\Temp\download1.exe
      C:\Users\Admin\AppData\Local\Temp\download1.exe /stext "C:\Users\Admin\AppData\Local\Temp\jdtdyghk"
      2⤵
      • Accesses Microsoft Outlook accounts
      • System Location Discovery: System Language Discovery
      PID:2964
    • C:\Users\Admin\AppData\Local\Temp\download1.exe
      C:\Users\Admin\AppData\Local\Temp\download1.exe /stext "C:\Users\Admin\AppData\Local\Temp\mygwzqseilv"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\notpad0\logs.dat
    Filesize

    144B

    MD5

    ce1c6923e54532770996084ea2c34471

    SHA1

    b174d93790fff8a999d441f0e6b34182306a9472

    SHA256

    1015b43196ad7a0a6165f75836054a770041cb4cb085982dba9a1f31c1061b02

    SHA512

    47c725556067399e9cde1eba7c298f25f8d57df4bb0e39c2fb8d32c527652a92e429435c20f387be750674a7e29c8e070d8cbbf87990436607ae5153459f4797

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zjnt
    Filesize

    4KB

    MD5

    c0ab2847671ed5375328c5127a02cc72

    SHA1

    dc2bcb51562fb17e5c8787833bc0181d88a5b75e

    SHA256

    e961f466a0638bc99182d0056245e2d8bf1ccc13a189b802aada981f379e2384

    SHA512

    0b8b634d21ac71e02cef86687bf84b6fcecfd24dafab8130f42ce8b4b3f308a2e1b1fa7bf8d37f2eda76efae2b30b8d39f41d808d771562d8545ed144241924f

    Download Submit

  • memory/2920-17-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-8-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-13-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-26-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-15-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2920-18-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2964-19-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2964-4-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2964-9-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2964-14-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2964-10-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4368-7-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4368-3-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4368-28-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4368-11-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4368-16-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4916-34-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4916-35-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4916-31-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4916-36-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4916-40-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4916-41-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4916-37-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download