Overview

overview

10

Static

static

3

2025-03-30...fo.exe

windows7-x64

7

2025-03-30...fo.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe

  • Size

    1.2MB

  • MD5

    dcb5272fb6c77d6d01c7db275d15abd4

  • SHA1

    51baaaecd513d980f35d6d1b69d6aaf6b70d2abd

  • SHA256

    cb807ebeb2e72b80110f7724a456c768daffd55adf65d45e3fe730e54b86559f

  • SHA512

    7d148cd89504f5057ec538e7f2ed4556bc8a21d745f862fa4a22fd3de19dcf5503679a449a0da1a9c3bc795ea50b8ee5e08983c5ad3c194649088633d4391664

  • SSDEEP

    24576:XNA3R5drX2nQNLS1wMxnybKAGxPHEgifT0u1h6LId7nT1RMwaMm3CfBomuFS:659LSSMnliT1h6LIdzTXM76fBoY

Score
10/10
remcosnovemberdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

NOVEMBER

C2

behco.duckdns.org:2404

paris4real111.ddnsfree.com:2404
Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-VVJPTO

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4196
    • C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat
      "C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat" xdpijumk.krc
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1712
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat C:\Users\Admin\AppData\Local\Temp\47167307\xdpijumk.krc
    1⤵
      PID:2012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\47167307\odnonxugl.ppt
      Filesize

      299KB

      MD5

      307a04f2922e9c811651cfc33c52875e

      SHA1

      d8445f3b76ce1c8bb55d53d532179d2a5b819a88

      SHA256

      02240258ec0b3ced3a58c3a46ff234afa58ed9ddb266ec5c9d0e1cfec3bdc404

      SHA512

      79997d9379a463b5cbd7acf3e76df5008e9b327153beeb9537f1d8bbcbed05ac3c4451d138267024400117ba6ba38df5083518c2873a064101fa56f6656a59cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      Filesize

      44KB

      MD5

      9d352bc46709f0cb5ec974633a0c3c94

      SHA1

      1969771b2f022f9a86d77ac4d4d239becdf08d07

      SHA256

      2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

      SHA512

      13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\remcos\logs.dat
      Filesize

      74B

      MD5

      c15781200b087b56c68e9c50a6737eb9

      SHA1

      6ee6f3ddbff4490c6c65433c4ae0b419947315fe

      SHA256

      13cea422b9e029b538a66f9c84a52d94534b2aaff2f2d20cdb6f087cdf0dbec1

      SHA512

      08a3f19754e8187b39b4536aa7c14abbbf548c4228c050e197d7f5f9821b2e63b17f5e92cf3546d6d23ea8523476795cee9d6ced89bdbcb830c9a80ca269a285

      Download Submit

    • memory/1712-180-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-184-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-179-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-177-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-186-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-187-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-188-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-189-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-191-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-192-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-193-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-194-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-195-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-196-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-197-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-198-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-199-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-200-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-201-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-203-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-204-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-205-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-206-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-207-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-208-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-209-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-210-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-211-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-212-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-213-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-215-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-216-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-217-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-218-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-219-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-220-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-221-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-223-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-224-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-225-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-226-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-227-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-228-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-229-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-230-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-231-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-232-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-233-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-234-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-236-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-237-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-238-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-239-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-240-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-241-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-242-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-243-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-244-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-245-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-246-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1712-249-0x0000000001200000-0x0000000002200000-memory.dmp

      Filesize

      16.0MB

      Download