Overview

overview

10

Static

static

3

2c3bba8949...e6.exe

windows7-x64

3

2c3bba8949...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/10/2024, 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c3bba8949c6ebeb2f81764c614733e5f81800b5de059f1f16afe6074d5f83e6.exe

  • Size

    398KB

  • MD5

    923191786539b85f05801a82c5d34044

  • SHA1

    5b05c3e94c78de881743b64fbf655dd7a4d5a4ed

  • SHA256

    2c3bba8949c6ebeb2f81764c614733e5f81800b5de059f1f16afe6074d5f83e6

  • SHA512

    54294237c5e4e96b28a958c2bf7cfd7056db3833356b2a473a6da00f2434cb4fbb6a9266df969c1132b0416d1b6d5f62a5bc3b68c836e8ffed28b844d32b3d98

  • SSDEEP

    768:5wv79pvtx0gODbLTL7tg7SYQQzcrN2RgFxhjpjOOZFYe4J0v/CBN7BFeQaZTog1:5wRVWr7tgCWcE0xp9OOR4aXOYfP1

Score
10/10
remcoszenozamadiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

ZENOZAMA

C2

intelcom2.ydns.eu:1832

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    sdfdsfgfd

  • mouse_option

    false

  • mutex

    dgfgdfgfdd-8CZV1B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3476
      • C:\Users\Admin\AppData\Local\Temp\2c3bba8949c6ebeb2f81764c614733e5f81800b5de059f1f16afe6074d5f83e6.exe
        "C:\Users\Admin\AppData\Local\Temp\2c3bba8949c6ebeb2f81764c614733e5f81800b5de059f1f16afe6074d5f83e6.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops startup file
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2340
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\sdfdsfgfd\logs.dat
      Filesize

      184B

      MD5

      d9dd186e992bf4b440d95c2b268e7559

      SHA1

      458a9770fe9c25b44aa091d9cda2d7fe35ff1436

      SHA256

      a61df154c1207001f1201a15e89e11bd4244d408df04accb5e3c0c8966160053

      SHA512

      bbb9b02cb5ab0f402fe96883e287f41eececf537b91f8dbc16a74796975eb55e7454b1456a02ac6e1500e4f6ebcc395a04ee6d9289a3e934554bb402d344367b

      Download Submit

    • memory/2340-0-0x000000007469E000-0x000000007469F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2340-1-0x0000000000910000-0x000000000097A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/2340-2-0x0000000074690000-0x0000000074E40000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2340-3-0x00000000051B0000-0x00000000051B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2340-4-0x00000000064B0000-0x00000000065D6000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-5-0x0000000006B80000-0x0000000007124000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2340-6-0x0000000006680000-0x0000000006712000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2340-13-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-22-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-70-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-68-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-66-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-64-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-62-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-60-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-58-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-56-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-55-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-50-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-48-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-46-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-52-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-44-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-42-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-40-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-38-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-36-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-32-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-30-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-28-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-24-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-20-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-18-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-16-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-14-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-35-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-26-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-11-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-8-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-7-0x00000000064B0000-0x00000000065CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2340-1081-0x0000000074690000-0x0000000074E40000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2340-1082-0x00000000067E0000-0x0000000006878000-memory.dmp

      Filesize

      608KB

      Download

    • memory/2340-1083-0x0000000006920000-0x000000000696C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2340-1084-0x0000000006970000-0x00000000069C4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2340-1089-0x0000000074690000-0x0000000074E40000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2340-1090-0x0000000074690000-0x0000000074E40000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2340-1091-0x0000000074690000-0x0000000074E40000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2340-1101-0x0000000074690000-0x0000000074E40000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2592-1096-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2592-1112-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download