Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-01-2025 14:34
General
-
Target
199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
-
Size
863KB
-
MD5
57f7d9095490a4aadda9e261fec73a68
-
SHA1
45e51f97abc52dd29e65d7ec78e18ee8d1721867
-
SHA256
199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d
-
SHA512
80512a3188e69746425f828e394a0bf9ea6b50b4dda5b5f0b819248610d58d6fbd7862f29d42266f473515e60eadb2b5038c3ee9f7f9b26bb0a22981552f1810
-
SSDEEP
24576:Krl6kD68JmlotQfnkSjkpoftUXoBmZieeiftIZpr:4l328U2yfnrQaZoZiEFIZp
Malware Config
Extracted
remcos
RemoteHost
192.210.150.26:8787
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-R1T905
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Detected Nirsoft tools 5 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
-
Drops startup file 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 3 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 9 IoCs
-
Suspicious use of SendNotifyMessage 9 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe"C:\Users\Admin\AppData\Local\Temp\199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"C:\Users\Admin\AppData\Local\Temp\199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exeC:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe /stext "C:\Users\Admin\AppData\Local\Temp\vxrjpsdegkptggmaaflxvlebdvvviq"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exeC:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe /stext "C:\Users\Admin\AppData\Local\Temp\frwtqloguthxqmiejqxygyyklbewbbjiyg"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exeC:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe /stext "C:\Users\Admin\AppData\Local\Temp\qtcmrd"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD543ec57c566da6c6952b3abce456f62ad
SHA13b973fe8dd0a884104650934037ae819240afb8a
SHA25644b538f8cdbbc46407de37fc8cf3bcd198897a46270468403a30c43bd2f9d9a2
SHA512bc50f01c39ff5da27dd98b767ad2d8fc4059c20baaffb795c5b6ea54435dd922e754aef2add1c52ab4defbd68d0ac850b9ab46c6bb8a8ffad39f9115f52ec7f3
-
Filesize
419KB
MD5a9a0e5250052a7c19d3272e47dbf1f2d
SHA119d121b655a3802195d307c0431f84ceb9042d7b
SHA2562cb6c8e181dd25247599136ada37c8cfc64bdc5b073a236524a97182ba8fc720
SHA5128427ff93f6f6f7849be19e9dd93418067fe7e4da271e7e694a37feab606803a3a031979838c55551b0c7d590e5959cbb53a8ddfedee36494769fae7dbc1e2d4b
-
Filesize
481KB
MD5bd289fa20b842c995c4616d9cf521df5
SHA16d85a647c2995355869131522ca6c3f087db187a
SHA256686deae06fa39d9d353c1433d1c43a360877631186a36ff92bb29c3914d6238e
SHA5122004f457ea076b9e7243388ae1132790be023636be70c9161b38954aef6e27e2049ec87c5af7205a60964cc08bf9e968d9da71307a462c168f3bea7ade302be7
-
Filesize
4KB
MD557509a6a6267f17bef5e5da8b1df8829
SHA10886741be12c4e6dd24688df7b9568e91b2fc2aa
SHA2564d50e4b2ee7b25d6a88dea6a28503975ca95f98e6e72fcd1ee754d016df3ed3d
SHA512019c20a2354ef20ff3870ea4d544ae4e7ec21729bfbeb19d2dd2f8b087fcb6b83f259ab2f35e0f3c7f044ebb7c5bbfdfc63f23b811d458a15f5ad35aa9175228
-
Filesize
863KB
MD557f7d9095490a4aadda9e261fec73a68
SHA145e51f97abc52dd29e65d7ec78e18ee8d1721867
SHA256199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d
SHA51280512a3188e69746425f828e394a0bf9ea6b50b4dda5b5f0b819248610d58d6fbd7862f29d42266f473515e60eadb2b5038c3ee9f7f9b26bb0a22981552f1810
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
4.0MB
-
Filesize
1.9MB
-
Filesize
4.0MB
-
Filesize
1.9MB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
508KB
-
Filesize
1.9MB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
4.0MB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
4.0MB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB