Overview
overview
10Static
static
1094975fe621...cd.exe
windows7-x64
1094975fe621...cd.exe
windows10-2004-x64
1094c020786b...1d.exe
windows7-x64
1094c020786b...1d.exe
windows10-2004-x64
1094c7c87a82...20.exe
windows7-x64
194c7c87a82...20.exe
windows10-2004-x64
194dd618932...a1.exe
windows7-x64
394dd618932...a1.exe
windows10-2004-x64
394e2ada20e...f6.exe
windows7-x64
1094e2ada20e...f6.exe
windows10-2004-x64
7952e0a7f82...33.exe
windows7-x64
7952e0a7f82...33.exe
windows10-2004-x64
7953e99960b...40.exe
windows7-x64
10953e99960b...40.exe
windows10-2004-x64
109576cc7c1d...3f.exe
windows7-x64
109576cc7c1d...3f.exe
windows10-2004-x64
10959c2d37a1...19.exe
windows7-x64
10959c2d37a1...19.exe
windows10-2004-x64
1095cc71e95c...eb.exe
windows7-x64
1095cc71e95c...eb.exe
windows10-2004-x64
1095fc2287fc...2c.exe
windows7-x64
1095fc2287fc...2c.exe
windows10-2004-x64
10960c033d30...04.exe
windows7-x64
1960c033d30...04.exe
windows10-2004-x64
196591b5749...ff.exe
windows7-x64
196591b5749...ff.exe
windows10-2004-x64
19695505ced...e7.exe
windows7-x64
19695505ced...e7.exe
windows10-2004-x64
196959cb142...76.exe
windows7-x64
1096959cb142...76.exe
windows10-2004-x64
1096985d97b0...da.exe
windows7-x64
1096985d97b0...da.exe
windows10-2004-x64
10Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:14
Behavioral task
behavioral1
Sample
94975fe621437bc551de379ca5db04f88554915fa00e95a8595116a5e91d35cd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
94975fe621437bc551de379ca5db04f88554915fa00e95a8595116a5e91d35cd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
94c020786bf74ea45e95666a68b1d21d.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
94c020786bf74ea45e95666a68b1d21d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
94c7c87a82c5b86f793f2553cc5a6c20.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
94c7c87a82c5b86f793f2553cc5a6c20.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
94dd6189328a24ea86b9726e0ff01aba18c8b2d13cdd59dcdedf9ae19b9700a1.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
94dd6189328a24ea86b9726e0ff01aba18c8b2d13cdd59dcdedf9ae19b9700a1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
94e2ada20e21670b71abcc87c81ea0f6.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
94e2ada20e21670b71abcc87c81ea0f6.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
952e0a7f82d06cd737223c4fe0c0d133.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
952e0a7f82d06cd737223c4fe0c0d133.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
9576cc7c1d016017905b260b127b983f.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
9576cc7c1d016017905b260b127b983f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
959c2d37a1e94337957c5323aab9bf19.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
959c2d37a1e94337957c5323aab9bf19.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
95cc71e95ccf96ee404de6261589d09ec40cc8e5536356806e23b2b8ba21fdeb.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
95cc71e95ccf96ee404de6261589d09ec40cc8e5536356806e23b2b8ba21fdeb.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
95fc2287fc4fea75666b56cfd668d72c.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
95fc2287fc4fea75666b56cfd668d72c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
960c033d3033f9058766fe5f229e94401874404c1df50c73856346dc7141a104.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
960c033d3033f9058766fe5f229e94401874404c1df50c73856346dc7141a104.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
96591b574924a1846cfccfedd4cfd584f84e920dc06b5ce05a581a8a067c79ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
96591b574924a1846cfccfedd4cfd584f84e920dc06b5ce05a581a8a067c79ff.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
9695505ced3961f59e27022cd01b53f6a05fd1dc98c77f3f4d4b1c16aa72b8e7.exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
9695505ced3961f59e27022cd01b53f6a05fd1dc98c77f3f4d4b1c16aa72b8e7.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral29
Sample
96959cb1423fd801a2e3d718868a3776.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
96959cb1423fd801a2e3d718868a3776.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe
Resource
win10v2004-20250314-en
General
-
Target
953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe
-
Size
903KB
-
MD5
63fef350b2de6b1f516cac9122e8e642
-
SHA1
2cb07a2d417f8e18c80906dc4fc8253614520c68
-
SHA256
953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140
-
SHA512
0575ab2275e5e0ea2b875eefecea7e7d5b8951a9508e45b97277466abfe6182f6dacbf128f5d30640a59017756fb87db66f13d01f81b70553d6dce8417b1c60f
-
SSDEEP
12288:tp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRz9Mr:tpugRNJI1D39dlfGQrFUx9Mr
Malware Config
Extracted
remcos
1.7 Pro
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Executes dropped EXE 2 IoCs
pid Process 2840 sbietrcl.exe 2948 sbietrcl.exe -
Loads dropped DLL 1 IoCs
pid Process 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe" 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2840 set thread context of 2948 2840 sbietrcl.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sbietrcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sbietrcl.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe 2840 sbietrcl.exe 2840 sbietrcl.exe 2840 sbietrcl.exe 2840 sbietrcl.exe 2840 sbietrcl.exe 2840 sbietrcl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe Token: SeDebugPrivilege 2840 sbietrcl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2948 sbietrcl.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2840 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe 30 PID 1756 wrote to memory of 2840 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe 30 PID 1756 wrote to memory of 2840 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe 30 PID 1756 wrote to memory of 2840 1756 953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe 30 PID 2840 wrote to memory of 2948 2840 sbietrcl.exe 31 PID 2840 wrote to memory of 2948 2840 sbietrcl.exe 31 PID 2840 wrote to memory of 2948 2840 sbietrcl.exe 31 PID 2840 wrote to memory of 2948 2840 sbietrcl.exe 31 PID 2840 wrote to memory of 2948 2840 sbietrcl.exe 31 PID 2840 wrote to memory of 2948 2840 sbietrcl.exe 31 PID 2840 wrote to memory of 2948 2840 sbietrcl.exe 31 PID 2840 wrote to memory of 2948 2840 sbietrcl.exe 31 PID 2840 wrote to memory of 2948 2840 sbietrcl.exe 31 PID 2840 wrote to memory of 2948 2840 sbietrcl.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe"C:\Users\Admin\AppData\Local\Temp\953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2948
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
909KB
MD5b454dc6d95f410bb46dbe26265590bfb
SHA19955acb99da379974dde4e1d1a874beba5c9b0b5
SHA256787c345057209f8b3866df03b354634af3e3cecc8e0f66e6aac7cdf2ddd65942
SHA512342432c552a160c8a582bbd8a28d94c8c53b10429f2d5ae9828280bfef2d62755486fe7fd79ddf0de3f21f02a03a09912a15ba80f77de49a09c033e51bb0a38a