Overview

overview

10

Static

static

7

bo.exe

windows10-ltsc 2021-x64

10

Resubmissions

24-11-2024 05:19

241124-fz37jssjhr 10

24-11-2024 05:13

241124-fwxklawje1 10

Analysis

  • max time kernel
    46s
  • max time network
    42s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    24-11-2024 05:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bo.exe

  • Size

    19.4MB

  • MD5

    d11df1a50d4bd2946f22579a59c42533

  • SHA1

    642658e79c5efcfdf1ece6b24f677868e2e5242b

  • SHA256

    c284436ac848ee2ff093e35b1b1a3b75e137adff13c2d3cb070192cd3851bfcd

  • SHA512

    0dbe240d77a2e51198e942f0b48dc92f2d3c40f7eac98f957ede80f5809d4efff24a62f7f10e826b70b1459842391a880c39ab651b53809d4a0451778a04fb66

  • SSDEEP

    393216:V7HMp6xoUGEbCqiYXygxbisWLvhVARbpQgz+exD9ydNwbOVJs:VzMUWUxCD2nZi9vhVAx1+UDAvwbOw

Score
10/10
asyncratremcosdefaulttestdiscoveryevasionpersistenceratthemidatrojan

Malware Config

Extracted

Family

remcos

Botnet

test

C2

185.25.205.221:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    font.exe

  • copy_folder

    9910

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-XVWSQS

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

31.57.135.113:4199

Mutex

w5g64wefd5w4ef

Attributes
  • delay

    1

  • install

    true

  • install_file

    dllhost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Async RAT payload 1 IoCs
    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Themida packer 14 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\bo.exe
    "C:\Users\Admin\AppData\Local\Temp\bo.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\System32\93213.exe
      "C:\Windows\System32\93213.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Users\Admin\AppData\Roaming\skuld.exe
        "C:\Users\Admin\AppData\Roaming\skuld.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dllhost" /tr '"C:\Users\Admin\AppData\Roaming\dllhost.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4040
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "dllhost" /tr '"C:\Users\Admin\AppData\Roaming\dllhost.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1932
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1AB7.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1992
          • C:\Windows\system32\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:612
          • C:\Users\Admin\AppData\Roaming\dllhost.exe
            "C:\Users\Admin\AppData\Roaming\dllhost.exe"
            5⤵
            • Executes dropped EXE
            PID:1800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1AB7.tmp.bat
    Filesize

    151B

    MD5

    e4541af8ef2a04fdb74838c200ee044a

    SHA1

    c2e06cc669b1b776695ec61b071ce8ff2f0857f8

    SHA256

    ff926b1a8178c5d7dcce0ca900946cc25dfda825abe300812b5d0f28e5e22ec0

    SHA512

    d57605de36c9113c7f2bdaf9570a63bbab9cf83b6ad0b6dd20f65f04a55b202d16c5be60989363347b157b39f1adbcbd0606f4a5d759882ced354882659e3986

    Download Submit

  • C:\Users\Admin\AppData\Roaming\skuld.exe
    Filesize

    63KB

    MD5

    6c7adc2f28f40d79c09fdd2d59a94ab0

    SHA1

    48c3f3223376146c61a00c948447c188147c5dae

    SHA256

    109c3b63306fcc197268155a8f45681e14987eb207d4b8eef74978cf5a4114e6

    SHA512

    d3db6d8ec0835540299c0faf35d87327090d36b6fa3fd14fc26a452bdb7c084093d2424238ee0e2b847d07c33cb871f7cf5cd428226b08e1fc317ed88259a4a6

    Download Submit

  • C:\Windows\System32\93213.exe
    Filesize

    481KB

    MD5

    5cd8c409f784d3ed2ddaaeefec65088a

    SHA1

    acc55ffb98055b6f30177f7bfa337ee2bf99f45b

    SHA256

    924cc96243a3cc5c928c4acfde01a5b468e943f67c36c292bc08c6c8e57c82be

    SHA512

    8c935da4e7a6c59401c3efbcdad122eb8ac9dca5b39ca8d114182c7e53cf7008ec4188d69865609dd7a90f055ac60c68a1597c673c8953d1601a5d7c648327d6

    Download Submit

  • memory/1836-33-0x0000000000B60000-0x0000000000B76000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3672-9-0x00007FFD312D1000-0x00007FFD312D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3672-11-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-6-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-7-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-0-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-8-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-10-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-5-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-12-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-13-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-4-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-3-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-2-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-34-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3672-1-0x00007FF747500000-0x00007FF74967A000-memory.dmp

    Filesize

    33.5MB

    Download