Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 01:33

General

  • Target

    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe

  • Size

    945KB

  • MD5

    97dbc44370eaaa9f03b0a49214740b0c

  • SHA1

    e49d9ea0e7380f49904e41c2a48ef0f2bcecd6ba

  • SHA256

    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631

  • SHA512

    2ddcd33620230fabc1a1ed2915c3f74dcfbfaf21c96af6d6359b99596dab655b14ebbe474d9c9b22aa167ffc16eb07effbf5ecabf2bb3a92f2019acfcfe4f190

  • SSDEEP

    24576:TcpPlcL6NZ/qpYGVsIHpY4hVj1ak+gMkFqufX:EPlcLq/qpsINDjgMbFR

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

Client

C2

jokerwe.duckdns.org:45131

thegatorway.com:58764

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    start.exe

  • copy_folder

    start

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    AV

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    -JTORVC

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    25

  • startup_value

    start

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    "C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YgBIwxYcZP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8CDA.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2192
    • C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
      "C:\Users\Admin\AppData\Local\Temp\7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2012

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    jokerwe.duckdns.org
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    Remote address:
    8.8.8.8:53
    Request
    jokerwe.duckdns.org
    IN A
    Response
    jokerwe.duckdns.org
    IN A
    185.174.100.34
  • flag-us
    DNS
    jokerwe.duckdns.org
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    Remote address:
    8.8.8.8:53
    Request
    jokerwe.duckdns.org
    IN A
  • flag-us
    DNS
    jokerwe.duckdns.org
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    Remote address:
    8.8.8.8:53
    Request
    jokerwe.duckdns.org
    IN A
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    thegatorway.com
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    Remote address:
    8.8.8.8:53
    Request
    thegatorway.com
    IN A
    Response
  • flag-us
    DNS
    thegatorway.com
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    Remote address:
    8.8.8.8:53
    Request
    thegatorway.com
    IN A
    Response
  • flag-us
    DNS
    thegatorway.com
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    Remote address:
    8.8.8.8:53
    Request
    thegatorway.com
    IN A
    Response
  • flag-us
    DNS
    jokerwe.duckdns.org
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    Remote address:
    8.8.8.8:53
    Request
    jokerwe.duckdns.org
    IN A
    Response
    jokerwe.duckdns.org
    IN A
    185.174.100.34
  • flag-us
    DNS
    jokerwe.duckdns.org
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    Remote address:
    8.8.8.8:53
    Request
    jokerwe.duckdns.org
    IN A
    Response
  • 185.174.100.34:45131
    jokerwe.duckdns.org
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    260 B
    5
  • 185.174.100.34:45131
    jokerwe.duckdns.org
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    260 B
    5
  • 185.174.100.34:45131
    jokerwe.duckdns.org
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    260 B
    5
  • 185.174.100.34:45131
    jokerwe.duckdns.org
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    208 B
    4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    180.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    180.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    jokerwe.duckdns.org
    dns
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    195 B
    81 B
    3
    1

    DNS Request

    jokerwe.duckdns.org

    DNS Request

    jokerwe.duckdns.org

    DNS Request

    jokerwe.duckdns.org

    DNS Response

    185.174.100.34

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    thegatorway.com
    dns
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    61 B
    134 B
    1
    1

    DNS Request

    thegatorway.com

  • 8.8.8.8:53
    thegatorway.com
    dns
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    61 B
    134 B
    1
    1

    DNS Request

    thegatorway.com

  • 8.8.8.8:53
    thegatorway.com
    dns
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    61 B
    134 B
    1
    1

    DNS Request

    thegatorway.com

  • 8.8.8.8:53
    jokerwe.duckdns.org
    dns
    7b552c175c725fb2d8b9f5a28e01045ec5d1ed444bd1220fa464d1e79a1eb631.exe
    130 B
    146 B
    2
    2

    DNS Request

    jokerwe.duckdns.org

    DNS Request

    jokerwe.duckdns.org

    DNS Response

    185.174.100.34

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8CDA.tmp

    Filesize

    1KB

    MD5

    af0b3a0fd88d38b36fa396a7be442371

    SHA1

    086948d1d0942ad403c33e9861540dee726bf895

    SHA256

    76ec287689a781c9941d1dab602c206cc730e0467c37586ee86ad106a433f45f

    SHA512

    c0663ad336862b37c958fa623b0272c04ead1c74fcfadca9ba5fc1b31fc8475615b6bcc7e34ee72dffc441a0b4acbaf53a147563eaca6a436fd71576effa6b59

  • C:\Users\Admin\AppData\Roaming\AV\logs.dat

    Filesize

    148B

    MD5

    b5894c6bb9dc9d3b0beed808d46548fb

    SHA1

    74b552ceb30434835b25507a5ad83c1b1a927c6e

    SHA256

    9f9542873426409ebb5f9f94bea3fb0d438b94b70fbbb4dd29f2fa8ce94ee9be

    SHA512

    7761cdbd6efdb9722ea31170d1418d68c01e960af2d34839cc1fc401883bc4e5beebb0b34819e98809c39f8ad49604c0017b0a0038eb3280036a3535bd14d166

  • memory/2012-29-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2012-25-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2012-24-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2012-19-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2012-18-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2012-17-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2364-6-0x0000000005110000-0x000000000511A000-memory.dmp

    Filesize

    40KB

  • memory/2364-9-0x0000000074FB0000-0x0000000075760000-memory.dmp

    Filesize

    7.7MB

  • memory/2364-10-0x0000000008B30000-0x0000000008BE2000-memory.dmp

    Filesize

    712KB

  • memory/2364-11-0x0000000004BC0000-0x0000000004C4C000-memory.dmp

    Filesize

    560KB

  • memory/2364-8-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

    Filesize

    4KB

  • memory/2364-7-0x0000000005430000-0x0000000005444000-memory.dmp

    Filesize

    80KB

  • memory/2364-5-0x0000000074FB0000-0x0000000075760000-memory.dmp

    Filesize

    7.7MB

  • memory/2364-0-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

    Filesize

    4KB

  • memory/2364-4-0x00000000051D0000-0x000000000526C000-memory.dmp

    Filesize

    624KB

  • memory/2364-3-0x0000000005130000-0x00000000051C2000-memory.dmp

    Filesize

    584KB

  • memory/2364-26-0x0000000074FB0000-0x0000000075760000-memory.dmp

    Filesize

    7.7MB

  • memory/2364-2-0x0000000005640000-0x0000000005BE4000-memory.dmp

    Filesize

    5.6MB

  • memory/2364-1-0x0000000000620000-0x0000000000712000-memory.dmp

    Filesize

    968KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.