Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
12-11-2024 07:44
General
-
Target
Vodka.exe
-
Size
454KB
-
MD5
6ff1a159ea827fc4cc63417004a81030
-
SHA1
e6412f570c1c3aa91e8e87a92a8a848547f9b94d
-
SHA256
f7962bec2e9ae0913ca8c8b3349a306d5e6f200ec6c1531e35749bb00d1b6a10
-
SHA512
0039a328696c002a533da4f51ece25b61e7bb4256bb2af5dff02fa338f9a18e0a69da5ea3618d2f4c746960aa2df3188a5c0c1b115568e81a1436fc6b85b9116
-
SSDEEP
12288:eTLpZM7P6UknZxn/7kRizAMzd6V7+aqEsapYNd1:eT7M7P6FZQQRxC7+JEfpWd1
Malware Config
Extracted
remcos
RemoteHost
212.162.149.195:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-9EP276
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vodka.exe"C:\Users\Admin\AppData\Local\Temp\Vodka.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Vodka.exe"C:\Users\Admin\AppData\Local\Temp\Vodka.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Vodka.exeC:\Users\Admin\AppData\Local\Temp\Vodka.exe /stext "C:\Users\Admin\AppData\Local\Temp\lhzmuizcup"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Vodka.exeC:\Users\Admin\AppData\Local\Temp\Vodka.exe /stext "C:\Users\Admin\AppData\Local\Temp\wjefvbkdixscej"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Vodka.exeC:\Users\Admin\AppData\Local\Temp\Vodka.exe /stext "C:\Users\Admin\AppData\Local\Temp\gdjyntuxefkppptwn"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD578ae1dabe7d11f860570250548b20706
SHA1abe97d8a8bb870f830b75d7dd3dd5c99613a1ed5
SHA256e131c9b8e893044151ab70ef45aa21d70f7e96cf3e04656f6e2813a119399455
SHA512f3d65d5e6a65f3344b6b7174405b2403f285d2f9563fa8b67d102a05ec4df4337e827c55a2a6b8a9853f7f658582561e535cbe055db1d8e2ab0685066627779f
-
Filesize
4KB
MD560a0bdc1cf495566ff810105d728af4a
SHA1243403c535f37a1f3d5f307fc3fb8bdd5cbcf6e6
SHA256fd12da9f9b031f9fa742fa73bbb2c9265f84f49069b7c503e512427b93bce6d2
SHA5124445f214dbf5a01d703f22a848b56866f3f37b399de503f99d40448dc86459bf49d1fa487231f23c080a559017d72bcd9f6c13562e1f0bd53c1c9a89e73306a5
-
Filesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
33.4MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
33.4MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
1.1MB
-
Filesize
33.4MB
-
Filesize
4KB
-
Filesize
33.4MB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB