Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 03:24
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe
-
Size
1.2MB
-
MD5
dcb5272fb6c77d6d01c7db275d15abd4
-
SHA1
51baaaecd513d980f35d6d1b69d6aaf6b70d2abd
-
SHA256
cb807ebeb2e72b80110f7724a456c768daffd55adf65d45e3fe730e54b86559f
-
SHA512
7d148cd89504f5057ec538e7f2ed4556bc8a21d745f862fa4a22fd3de19dcf5503679a449a0da1a9c3bc795ea50b8ee5e08983c5ad3c194649088633d4391664
-
SSDEEP
24576:XNA3R5drX2nQNLS1wMxnybKAGxPHEgifT0u1h6LId7nT1RMwaMm3CfBomuFS:659LSSMnliT1h6LIdzTXM76fBoY
Malware Config
Extracted
remcos
2.5.0 Pro
NOVEMBER
behco.duckdns.org:2404
paris4real111.ddnsfree.com:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-VVJPTO
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Remcos family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation 2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe -
Executes dropped EXE 2 IoCs
pid Process 3716 xaufkfr.bat 1260 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\47167307\\xaufkfr.bat C:\\Users\\Admin\\AppData\\Local\\Temp\\47167307\\xdpijumk.krc" xaufkfr.bat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3716 set thread context of 1260 3716 xaufkfr.bat 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xaufkfr.bat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat 3716 xaufkfr.bat -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1260 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5260 wrote to memory of 3716 5260 2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe 89 PID 5260 wrote to memory of 3716 5260 2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe 89 PID 5260 wrote to memory of 3716 5260 2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe 89 PID 3716 wrote to memory of 1260 3716 xaufkfr.bat 93 PID 3716 wrote to memory of 1260 3716 xaufkfr.bat 93 PID 3716 wrote to memory of 1260 3716 xaufkfr.bat 93 PID 3716 wrote to memory of 1260 3716 xaufkfr.bat 93 PID 3716 wrote to memory of 1260 3716 xaufkfr.bat 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5260 -
C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat"C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat" xdpijumk.krc2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat C:\Users\Admin\AppData\Local\Temp\47167307\xdpijumk.krc1⤵PID:2396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
299KB
MD5307a04f2922e9c811651cfc33c52875e
SHA1d8445f3b76ce1c8bb55d53d532179d2a5b819a88
SHA25602240258ec0b3ced3a58c3a46ff234afa58ed9ddb266ec5c9d0e1cfec3bdc404
SHA51279997d9379a463b5cbd7acf3e76df5008e9b327153beeb9537f1d8bbcbed05ac3c4451d138267024400117ba6ba38df5083518c2873a064101fa56f6656a59cc
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
74B
MD53e36823ec5f40e58ec8dd58deb5e26b3
SHA18cc20b3654e55ec7e5fb501a33691722205d1453
SHA2564a72b40ba9dee7edf8d8446678f6c4da20a1dd22cea4c60493aa0c6784ae13be
SHA5122cefdd7355eee9701df2138f918c7fb19e009121e899cc6d56fdd1224670f481b0e647f319dbafecd1f9302a56fd9015a1d81dfe14b00d488869a30e887fd9fb