Overview

overview

10

Static

static

3

free spoofer.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    92s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-11-2024 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    free spoofer.exe

  • Size

    346KB

  • MD5

    3c3bfc253392fb2dcb1973b3849047b1

  • SHA1

    0c5e9d2f56bfae52d1090f2e8c6e7058f9891ef9

  • SHA256

    37d916a79c24f8146e6ee9d3cb888961035dc7b15077bca1a80f3fdbc013fd02

  • SHA512

    4ba3a0bceea539adb6f1a6a9e3caf57c366f040ba00625e138a2601098a36ff02f150aae13a1e9b26984ab6ed027ed70a703246408497b2bc725b669757f6b96

  • SSDEEP

    6144:UsLqdufVUNDaHOVbUMuhYm0nDudBDZSAS8ScU4GMdRJiyRXTtkN:PFUNDaobhAYmquAP8SmdDiajc

Score
10/10
remcosfree spooferdiscoveryevasionpersistenceratupx

Malware Config

Extracted

Family

remcos

Version

5.3.0 Light

Botnet

free spoofer

C2

127.0.0.1:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-QTYGBF

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\free spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\free spoofer.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1136
    • \??\c:\users\admin\appdata\local\temp\free spoofer.exe 
      "c:\users\admin\appdata\local\temp\free spoofer.exe "
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3344
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:908
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4308
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4824
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1100
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2336
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:952
    • C:\Users\Admin\Desktop\free spoofer.exe
      "C:\Users\Admin\Desktop\free spoofer.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:912
      • \??\c:\users\admin\desktop\free spoofer.exe 
        "c:\users\admin\desktop\free spoofer.exe "
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2276
      • C:\Windows\Resources\Themes\icsys.icn.exe
        C:\Windows\Resources\Themes\icsys.icn.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1220
        • \??\c:\windows\resources\themes\explorer.exe
          c:\windows\resources\themes\explorer.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1948

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\free spoofer.exe 
      Filesize

      211KB

      MD5

      c84c4c9119a106ef8b03f518ac2fd77f

      SHA1

      f5ec736878b7350476f67fcbf83c1e9b1091f8ed

      SHA256

      1c9e341e908b43c20f24dfe5cb449502f659dabfc9c697750ade95e1535f295b

      SHA512

      5ec872842a7a432271ec2b053f638d5eaf54f97be4e4ea98af34a2c927d4f7dfcfe5d98ea3fdc1405383bdffee9bf47b0b22a7b20d95df06a46dc1cee6c51ccd

      Download Submit

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      1ecca1479d3eb1447595d5245cf1ed05

      SHA1

      beb6de4c390817b59a9213e68db83ca471ab2a1b

      SHA256

      37761aefa554a85ae8b6629dbc4ed46a5c274c3edac2554e954e8522483d6cbb

      SHA512

      904b508c4866f5e2bae691dd4e7fc81b9be3ca0dcc82f4c65129aa01923356ed5d718d0019dd62e9ed76435523286987bea1361e0cf7fe6fa6962276c6668421

      Download Submit

    • C:\Windows\Resources\Themes\icsys.icn.exe
      Filesize

      135KB

      MD5

      f00d658a3974a79f14e9102602bf09f9

      SHA1

      c4328ee2d0d6c4fd77fc40ff991209663439870a

      SHA256

      f67a66914baca9ed1af8661252ec4fee45c10fcdfa3482197916d51bd3dfc1bd

      SHA512

      71c69718620da6d37de7f42cb808724f26130a10ce2526efb508364587e7d294bbf1280763fbf7656d00e33077096fecf33b96cc859631c218b406eb0be38943

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      a4f34265ecea48cf9ee3122cbe4fab1e

      SHA1

      d8577cdf2a1847f7f7e710ba92cf0f763b185ba1

      SHA256

      945746a62e4930a9d6e81c14d3d3568f3fde41fab5763698c79fcb1fe8c0861e

      SHA512

      fb393853bde464bd0bee730792bea925844694fe3437c7e84d6836db041cabf27d54e24a6de4df2c10fb7ea9c5aa8d1a22aa2b98df02786236d6fddaba9f45cf

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      646b1395e561613dca878dd0739cb11c

      SHA1

      6718a54a13cb38e9b1dce1729cebca4831b83356

      SHA256

      efe67e0b61adbf8c31e6b2714c16d0be6244a052d5e361c0129a360f7e381f55

      SHA512

      2c031974c5d86d2d0df77763c466d401f2a90b263eced302855207e55f4627b16faa073b36cdb3025fe922e8a9e361fc04b7a300cca1d25f320ec075f461b1f0

      Download Submit

    • memory/908-46-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/912-73-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1100-53-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1136-47-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1136-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1220-75-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1948-74-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1948-69-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2276-77-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/2276-76-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/2336-44-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3344-49-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/3344-51-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/3344-9-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/3344-50-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/3344-48-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/4308-52-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4824-45-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download