General
-
Target
ggsploit V1.2.1.zip
-
Size
3.5MB
-
Sample
241001-ykzvpa1drc
-
MD5
4e3aee034b8f8bdc292eb70246b61b70
-
SHA1
9510541cae448cd647462524dadb7c6764f3fde4
-
SHA256
5a98da432ac4056a1843d19aa1c409f6cd56e5bf830c6fad8cd12f93f418095e
-
SHA512
41f61ab6a9c09c6bfbc7d677a8fbcaed2a9db2aff2bf16c1f7d8bc566eff55c7d99be5bb66a1fb1ed74e51351e671cf18c61109229282aacffac9754ca07ceb7
-
SSDEEP
98304:ZDH4uGXfFnCC1a+uuR1SVBoLv9xG0bW11qIL2ysuKZLxp2cY+c68Ee:RYfX9tPuOOFjsuKBf2N+cZEe
Behavioral task
behavioral1
Sample
ggsploit V1.2.1/download this if you dont have roblox.exe
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
ggsploit V1.2.1.exe
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
unins000.exe
Resource
win11-20240802-en
Malware Config
Extracted
remcos
5.1.3 Light
ggsploit 1.2.1
127.0.0.1:4444
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-XXOAKC
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
ggsploit V1.2.1/download this if you dont have roblox.exe
-
Size
6.5MB
-
MD5
bfbd6cc26087166af3a64398260ead58
-
SHA1
c50f08bffce2a709dee9af3ae6b96bb482abd4f9
-
SHA256
95c5f519a5f729ec1205f9f1c69b3e370e468ed5d1c7675502a9c9ef227509c9
-
SHA512
c23683291b4b0e0f555fd715ba6e685faa5a952df95c70df69010e2f6c9f0fd7f593f030fab068207ff97583e049b52674e85bd41fc5901f817b4ec080d945e3
-
SSDEEP
98304:Uzvc3x0eU5N2T3pPB7nwQgy8p6JULNTY+sgrYBhiZUHKRmGO5Z/WtFmN:0c3fU5NeRuEYNUgrZTRm1Zutg
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
ggsploit V1.2.1.exe
-
Size
430KB
-
MD5
83935216d149d4c0c56470031c9d5d92
-
SHA1
5b4cb9c1489513e81b744739b6ea96104dd71d0d
-
SHA256
7d1ac05427230f66167d1537a39e6433fe9279550440584ac82e66198e7c44e7
-
SHA512
15f774d34552e73337d45dead380587dfe035b7399a8c23eee55b4c1e7c4e80cf7cf028761ff4365d66bb4bd4be327ac73b3e25fb0a022bfa7161ac065fd2317
-
SSDEEP
6144:cvRscHtVzjwIRFzJZ2p26+jFWXYnj9iT2ebvXmUcCqkmAO2rjXH7ycDZ3:cvRs4OIm2hWX4U2ebvRUAr77T3
Score3/10 -
-
-
Target
unins000.exe
-
Size
436KB
-
MD5
b2aebff3474de2fdb3be48ee268f2bec
-
SHA1
8feaa6c4509151ef28f48a9b3c09fee15eeccebe
-
SHA256
023ddfff2ddaaa3bce687e393457bd993a94eae81b76d67e9f50e14c024c0e96
-
SHA512
a59ac5bd5e6d17446486575422ed6e05b95a34e1187dcf14d613d7ce30508cd5a365c9e13e311905e7d8801e20cb83822c4bec67322d580e8195b5f3fc97f39e
-
SSDEEP
6144:5vRscHtVzjwIRFzJZ2p26+jFWXYnj9iT2ebvXmUcCqkmAO2rjXH7ycDd3:5vRs4OIm2hWX4U2ebvRUAr77/3
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1