Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 03:20
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe
-
Size
1.2MB
-
MD5
dcb5272fb6c77d6d01c7db275d15abd4
-
SHA1
51baaaecd513d980f35d6d1b69d6aaf6b70d2abd
-
SHA256
cb807ebeb2e72b80110f7724a456c768daffd55adf65d45e3fe730e54b86559f
-
SHA512
7d148cd89504f5057ec538e7f2ed4556bc8a21d745f862fa4a22fd3de19dcf5503679a449a0da1a9c3bc795ea50b8ee5e08983c5ad3c194649088633d4391664
-
SSDEEP
24576:XNA3R5drX2nQNLS1wMxnybKAGxPHEgifT0u1h6LId7nT1RMwaMm3CfBomuFS:659LSSMnliT1h6LIdzTXM76fBoY
Malware Config
Extracted
remcos
NOVEMBER
behco.duckdns.org:2404
paris4real111.ddnsfree.com:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-VVJPTO
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Remcos family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation 2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe -
Executes dropped EXE 2 IoCs
pid Process 1564 xaufkfr.bat 1712 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\47167307\\xaufkfr.bat C:\\Users\\Admin\\AppData\\Local\\Temp\\47167307\\xdpijumk.krc" xaufkfr.bat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1564 set thread context of 1712 1564 xaufkfr.bat 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xaufkfr.bat -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat 1564 xaufkfr.bat -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1712 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4196 wrote to memory of 1564 4196 2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe 89 PID 4196 wrote to memory of 1564 4196 2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe 89 PID 4196 wrote to memory of 1564 4196 2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe 89 PID 1564 wrote to memory of 1712 1564 xaufkfr.bat 100 PID 1564 wrote to memory of 1712 1564 xaufkfr.bat 100 PID 1564 wrote to memory of 1712 1564 xaufkfr.bat 100 PID 1564 wrote to memory of 1712 1564 xaufkfr.bat 100 PID 1564 wrote to memory of 1712 1564 xaufkfr.bat 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat"C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat" xdpijumk.krc2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat C:\Users\Admin\AppData\Local\Temp\47167307\xdpijumk.krc1⤵PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
299KB
MD5307a04f2922e9c811651cfc33c52875e
SHA1d8445f3b76ce1c8bb55d53d532179d2a5b819a88
SHA25602240258ec0b3ced3a58c3a46ff234afa58ed9ddb266ec5c9d0e1cfec3bdc404
SHA51279997d9379a463b5cbd7acf3e76df5008e9b327153beeb9537f1d8bbcbed05ac3c4451d138267024400117ba6ba38df5083518c2873a064101fa56f6656a59cc
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
74B
MD5c15781200b087b56c68e9c50a6737eb9
SHA16ee6f3ddbff4490c6c65433c4ae0b419947315fe
SHA25613cea422b9e029b538a66f9c84a52d94534b2aaff2f2d20cdb6f087cdf0dbec1
SHA51208a3f19754e8187b39b4536aa7c14abbbf548c4228c050e197d7f5f9821b2e63b17f5e92cf3546d6d23ea8523476795cee9d6ced89bdbcb830c9a80ca269a285