Overview

overview

10

Static

static

10

pizoooooooooon.exe

windows7-x64

10

pizoooooooooon.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pizoooooooooon.exe

  • Size

    469KB

  • Sample

    241116-yjz43asfmd

  • MD5

    edbc5efff13abc4bbbe32422508f413c

  • SHA1

    53aaa3aee4fca7bee5381040878fb752d606a9fd

  • SHA256

    5eba0fc4031786d1d2744beace12ab4116df7ce799c85a72087996d6013dc0a9

  • SHA512

    4eb254d3acf692ea8267db2db519beb3e7c052c70ffa3498fc4cedfed4e935bb6e61984b1638bfcc7e52876b9f981ec4a2831f1fcf53a7ce6898e71657d03af9

  • SSDEEP

    12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSPn9:uiLJbpI7I2WhQqZ7P9

Score
10/10
hawkeyeremcosremotehostdiscoveryevasionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

items-jeffrey.gl.at.ply.gg:58427

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    system.exe

  • copy_folder

    Remcos

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-B5GG3O

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      pizoooooooooon.exe

    • Size

      469KB

    • MD5

      edbc5efff13abc4bbbe32422508f413c

    • SHA1

      53aaa3aee4fca7bee5381040878fb752d606a9fd

    • SHA256

      5eba0fc4031786d1d2744beace12ab4116df7ce799c85a72087996d6013dc0a9

    • SHA512

      4eb254d3acf692ea8267db2db519beb3e7c052c70ffa3498fc4cedfed4e935bb6e61984b1638bfcc7e52876b9f981ec4a2831f1fcf53a7ce6898e71657d03af9

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSPn9:uiLJbpI7I2WhQqZ7P9

    Score
    10/10
    hawkeyeremcosremotehostdiscoveryevasionkeyloggerpersistenceratspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Hawkeye family

      hawkeye

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • UAC bypass

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks