Overview

overview

10

Static

static

10

quarantine...K.html

windows7-x64

3

quarantine...K.html

windows10-2004-x64

3

quarantine...C.html

windows7-x64

3

quarantine...C.html

windows10-2004-x64

3

quarantine...24.exe

windows7-x64

4

quarantine...24.exe

windows10-2004-x64

5

setup.exe

windows7-x64

1

setup.exe

windows10-2004-x64

7

quarantine/ht.exe

windows7-x64

10

quarantine/ht.exe

windows10-2004-x64

10

quarantine...Yj.exe

windows7-x64

10

quarantine...Yj.exe

windows10-2004-x64

10

quarantine/pic5.exe

windows7-x64

6

quarantine/pic5.exe

windows10-2004-x64

6

quarantine...m.html

windows7-x64

3

quarantine...m.html

windows10-2004-x64

3

quarantine/random.exe

windows7-x64

quarantine/random.exe

windows10-2004-x64

quarantine..._2.exe

windows7-x64

3

quarantine..._2.exe

windows10-2004-x64

3

quarantine..._3.exe

windows7-x64

10

quarantine..._3.exe

windows10-2004-x64

10

quarantine....0.exe

windows7-x64

10

quarantine....0.exe

windows10-2004-x64

10

quarantine...r.html

windows7-x64

3

quarantine...r.html

windows10-2004-x64

3

quarantine...g.html

windows7-x64

3

quarantine...g.html

windows10-2004-x64

3

quarantine...t.html

windows7-x64

3

quarantine...t.html

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    quarantine.7z

  • Size

    19.1MB

  • Sample

    250218-x8wx9sxmel

  • MD5

    5b07c232d32aca4142f1f7235acb1b71

  • SHA1

    b91e1b46372706234192d3d4193a1bd2e0ef6918

  • SHA256

    fbb1c5811042bfe6fbc3329c17e2bbb75279d315777768ef6b835a85e9331ef2

  • SHA512

    2c4e48f515f6e03618e96aebc0d2f1ce609979de646a762824ccacb4ddf9e0eedb832e520262091f2518ec08b9484dd445c464529229555f0df52ac49a60655f

  • SSDEEP

    393216:3+5A2xwXMIOBHj6+fv97p40UGjIb0AHN0AuAQwdrwqED+pXO1TSyTYHSS6+3:OdIMe+fVp4rQ60+aA6wdrYYhSS93

Score
10/10
remcosrhadamanthysstealcdefaulthotelbootkitdefense_evasiondiscoverypersistenceratstealer

Malware Config

Extracted

Family

remcos

Botnet

hotel

C2

rm.bizvally.net:3397

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-5ITRQT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

stealc

Botnet

default

C2

http://ecozessentials.com

Attributes
  • url_path

    /e6cb1c8fc7cd1659.php

Targets

    • Target

      quarantine/BSFiC9K.exe

    • Size

      162B

    • MD5

      1b7c22a214949975556626d7217e9a39

    • SHA1

      d01c97e2944166ed23e47e4a62ff471ab8fa031f

    • SHA256

      340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

    • SHA512

      ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      quarantine/ORaMflC.exe

    • Size

      162B

    • MD5

      1b7c22a214949975556626d7217e9a39

    • SHA1

      d01c97e2944166ed23e47e4a62ff471ab8fa031f

    • SHA256

      340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

    • SHA512

      ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      quarantine/Setup_2024.exe

    • Size

      3.4MB

    • MD5

      862fe5205353b8b771333e1c49bfce79

    • SHA1

      cdb767613dc8ce51f664830e1e770de7776524c8

    • SHA256

      7a0a69e7e2dabdd39fe3d5a5c2677aace72e3f308a9fe85f2fc04808df14611e

    • SHA512

      ec3a78f202d51796842b0eacf4d83ce5bb45358023249e632de028ecc1ab81374241b1ac9b2b8b8854a53109066dea9756b93ea160d2f89a77e5fa88cfec4b97

    • SSDEEP

      98304:LhwJnckvGgZwsiqVP3XhtgWB4Mu6pdPS/gi2TKo5npE8n7EtiYU:LucbgZf53RZBvu6vS/g3P5nS8n4tiYU

    Score
    5/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5behavioral6

    • Target

      setup.exe

    • Size

      7.4MB

    • MD5

      7488d696f9a3d74e093b4c31ef7282c6

    • SHA1

      777a182ed8ca8377581c91ac3d91b4b4fe233353

    • SHA256

      b03c4cc3c1377ee81b1f94da126e58a30f484d4d935889538fae1c650dd6828b

    • SHA512

      a40d074243ec3ced28fc8b4f3e00ccbfb755415540e655e29820b96b2569d530c21f46e3cb7aee24e46de2339207e46c6c4a05f7bd7ce5d85485952b9f881e08

    • SSDEEP

      196608:NX4RUixxsuKuIGizTftIEgBkXVKJw579eRGzouxdxGXaI6HMaJTtGbFK:qnmuKuE3f9gVG5xxGo

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral7behavioral8

    • Target

      quarantine/ht.exe

    • Size

      482KB

    • MD5

      e2f3d65d4b25ca3a10e41a7159b40c13

    • SHA1

      3e451e4e3ebfb7504a6a7fde29b99f4c56842cb9

    • SHA256

      29297e99d5e000d6a21dd2ffa542d100f5f737d1317b49fb8057194706934ce5

    • SHA512

      31fb654fcf245947286cfa8e812185db52f4edd59b335a140b0c9a84427b41737cb3e75a4ef3dd9e218665ffd452b27b3797c502edd329add4c8f6b2a8be1ff3

    • SSDEEP

      12288:913ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQqS:Xak/mBXTV/R0nEF76gFZp

    Score
    10/10
    remcoshoteldiscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      quarantine/m5UP2Yj.exe

    • Size

      1.7MB

    • MD5

      74183fecff41da1e7baf97028fee7948

    • SHA1

      b9a7c4a302981e7e447dbf451b7a8893efb0c607

    • SHA256

      04032a467e48ca2cc8b1310fa8e27225faf21479126d4f61e356fa356ef2128a

    • SHA512

      9aae3f12feb4fba81e29754ba3eac17d00e5f8db9b1319d37dcec636d1b4dea2022b679498303900fdb8956bf11cffd0be1c6e873781ab656d260f48f0872584

    • SSDEEP

      49152:nKejB4Y9a+rOZ3jDptJx1LXVQL079kWi:KjYdrOZ/VL2LMk

    Score
    10/10
    stealcdefaultdefense_evasiondiscoverystealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      quarantine/pic5.jpg

    • Size

      421KB

    • MD5

      59f2f7f0cf8faf41dbb0a7878b5d66bb

    • SHA1

      0a96781c3e937cd7c12a052242f4755ea3656297

    • SHA256

      683391c9e997f8e960c52edb11106157fb4bf122d21a0a72fe6a9a14ebacf584

    • SHA512

      f3c6bc3fe42dbf48bda944817718298c9e23b7b6c08d7ff3142dfbc82b9a5070090ba80ce8dad8bc7b99e334f888bad3b6109142b5dc063a5ef73883f2b87ccd

    • SSDEEP

      12288:MSasngwHpPE9JyzE7Q1Hlt/a7CLfznto3ZUsVB:gsngwHpPvgqFRaGLfDtMZUOB

    Score
    6/10
    bootkitpersistencediscovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral13behavioral14

    • Target

      quarantine/random.dllMain

    • Size

      5KB

    • MD5

      64860346535febeff11c67fd1a72e8d6

    • SHA1

      3c803e7aa59264ba66e77481c8313b40b8f6904c

    • SHA256

      c3bc119b29f9446f877c486632007075e941650b199f8e83a6b396c56001423d

    • SHA512

      439a818205138e69a2f69403cc0331f68b40ee5e32203ffb279ca7f161058ecf9fdd9bb5c4776d6d5382d3fc8690e1941c181c0dbbca9aea1734f41de4b55d41

    • SSDEEP

      96:1j9jwIjYj5jDK/D5DMF+C8tZqXKHvpIkdNzrRN9PaQxJbK5hnx/IR:1j9jhjYj9K/Vo+n+aHvFdNzrX9ieJenu

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      quarantine/random.exe

    • Size

      21.8MB

    • MD5

      d5d0ef9a2b73195c8ff0a7e1300864d2

    • SHA1

      5250811b24e290aa4558835f473cb05cc4b4b8de

    • SHA256

      48137c18724ecc9ca9a8b9c743cbbdd8bc4791980ed16a2613bc893866fcdfa7

    • SHA512

      43b74c124bdda3aedcd80b99f6912a18b8975437194910531aa17574f010ee66abe67c3c5d56d750cd0e843066262618a05b900d648d3e79faa9b903a8259392

    • SSDEEP

      24576:m4rDuALLuIzpo4nC1rUsEq3xwPvDCLnj0KDUIw+fDFU1i95pX9vrIufPkkVf3ybM:2

    Score
    1/10
    behavioral17behavioral18

    • Target

      quarantine/random_2.exe

    • Size

      947KB

    • MD5

      c87f37b640fa7e3e01b731b882bc2c89

    • SHA1

      9308495700f0480079b7f98e3b4a5fe5bb7d49b6

    • SHA256

      d799b9a2a2ff0d1cf4c76840719ce79a4719d22a590571b097779bee4c9dc3d0

    • SHA512

      589b59d9271974f4375cb96a423fc32066e708a7ffc634f3bdf3ab07a2d59c99991afe2bf5055fafead91d2debab2017ebc58ff66f7040cbb3f73a70a9f4e7e5

    • SSDEEP

      24576:1qDEvCTbMWu7rQYlBQcBiT6rprG8aXX4kE:1TvC/MTQYxsWR7aXIk

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      quarantine/random_3.exe

    • Size

      1.7MB

    • MD5

      b43d63871e42c3d2ffe65020e8f2c9ae

    • SHA1

      2b0a70651f92eb3f9871c755f690c35663b2e7e1

    • SHA256

      acf6a8746430f2790af40af611406c3dc738f614c87244e38c9f3183ceacf27b

    • SHA512

      b3b1e239ad0e51c81e369cfbdb964172f8406e6a0d6278e06105063ae5ee6aa972b634d289ec3129aff1b20898108b8795e62f06dc642da16919a7c4ef1b45ca

    • SSDEEP

      49152:y2hR7YCrNfh6HTgEvYPetgVsM/R8My6iEM:yA/rN4z5vYmOVN/R8M35M

    Score
    10/10
    stealcdefaultdefense_evasiondiscoverystealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral21behavioral22

    • Target

      quarantine/rh_0.8.0.exe

    • Size

      439KB

    • MD5

      4d8c17ce240224e3db7e1477b1de6845

    • SHA1

      513fe77b749aface2758bbdfefc8f1ae9e75c654

    • SHA256

      a871bde353ec15742bb456b550c0d24a7d6687320a62ffcd24e6338474e3c225

    • SHA512

      ba65cc7554a58f4703f10d6c14f02aa72b513da97f065bbf38e06494e9fa7a75d12323d67f9f9ecb6f799cdb400862a91a082ddae9d1f11115f9596691091bd0

    • SSDEEP

      12288:1O7k28xC7HMDVBjfbL5S6IZ7OGQN/RutyU3ivG/6t9:+OS6IZ7QN/R8yoaG/e

    Score
    10/10
    rhadamanthysdiscoverystealer

    • Detects Rhadamanthys payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Rhadamanthys family

      rhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    behavioral23behavioral24

    • Target

      quarantine/sgu7U1r.exe

    • Size

      162B

    • MD5

      1b7c22a214949975556626d7217e9a39

    • SHA1

      d01c97e2944166ed23e47e4a62ff471ab8fa031f

    • SHA256

      340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

    • SHA512

      ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

    Score
    3/10
    discovery
    behavioral25behavioral26

    • Target

      quarantine/xB2HL9g.exe

    • Size

      162B

    • MD5

      1b7c22a214949975556626d7217e9a39

    • SHA1

      d01c97e2944166ed23e47e4a62ff471ab8fa031f

    • SHA256

      340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

    • SHA512

      ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

    Score
    3/10
    discovery
    behavioral27behavioral28

    • Target

      quarantine/xclient.exe

    • Size

      6KB

    • MD5

      307dca9c775906b8de45869cabe98fcd

    • SHA1

      2b80c3a2fd4a235b2cc9f89315a554d0721c0dd1

    • SHA256

      8437bd0ef46a19c9a7c294c53e0429b40e76ebbd5fe9fd73a9025752495ddb1c

    • SHA512

      80c03f7add3a33a5df7b1f1665253283550dac484d26339ecd85672fb506dce44bd0bf96275d5c41a2e7369c3b604de377b7f5985d7d0d76c7ac663d60a67a1c

    • SSDEEP

      96:k2J/SNi/FLQVTLKCGWz5ln59Jy0jRdoMVZTdI5:k2pV2RKCxDnxyTMVZT0

    Score
    3/10
    discovery
    behavioral29behavioral30

MITRE ATT&CK Enterprise v15

Tasks

static1

hotelremcosrhadamanthys
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
4/10

behavioral6

discovery
Score
5/10

behavioral7

Score
1/10

behavioral8

discovery
Score
7/10

behavioral9

remcoshoteldiscoveryrat
Score
10/10

behavioral10

remcoshoteldiscoveryrat
Score
10/10

behavioral11

stealcdefaultdefense_evasiondiscoverystealer
Score
10/10

behavioral12

stealcdefaultdefense_evasiondiscoverystealer
Score
10/10

behavioral13

bootkitpersistence
Score
6/10

behavioral14

bootkitdiscoverypersistence
Score
6/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

stealcdefaultdefense_evasiondiscoverystealer
Score
10/10

behavioral22

stealcdefaultdefense_evasiondiscoverystealer
Score
10/10

behavioral23

rhadamanthysdiscoverystealer
Score
10/10

behavioral24

rhadamanthysdiscoverystealer
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10