Overview

overview

10

Static

static

3

2025-03-30...fo.exe

windows7-x64

10

2025-03-30...fo.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe

  • Size

    1.2MB

  • MD5

    dcb5272fb6c77d6d01c7db275d15abd4

  • SHA1

    51baaaecd513d980f35d6d1b69d6aaf6b70d2abd

  • SHA256

    cb807ebeb2e72b80110f7724a456c768daffd55adf65d45e3fe730e54b86559f

  • SHA512

    7d148cd89504f5057ec538e7f2ed4556bc8a21d745f862fa4a22fd3de19dcf5503679a449a0da1a9c3bc795ea50b8ee5e08983c5ad3c194649088633d4391664

  • SSDEEP

    24576:XNA3R5drX2nQNLS1wMxnybKAGxPHEgifT0u1h6LId7nT1RMwaMm3CfBomuFS:659LSSMnliT1h6LIdzTXM76fBoY

Score
10/10
remcosnovemberdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

NOVEMBER

C2

behco.duckdns.org:2404

paris4real111.ddnsfree.com:2404
Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-VVJPTO

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-30_dcb5272fb6c77d6d01c7db275d15abd4_black-basta_luca-stealer_metamorfo.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5260
    • C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat
      "C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat" xdpijumk.krc
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1260
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat C:\Users\Admin\AppData\Local\Temp\47167307\xdpijumk.krc
    1⤵
      PID:2396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\47167307\odnonxugl.ppt
      Filesize

      299KB

      MD5

      307a04f2922e9c811651cfc33c52875e

      SHA1

      d8445f3b76ce1c8bb55d53d532179d2a5b819a88

      SHA256

      02240258ec0b3ced3a58c3a46ff234afa58ed9ddb266ec5c9d0e1cfec3bdc404

      SHA512

      79997d9379a463b5cbd7acf3e76df5008e9b327153beeb9537f1d8bbcbed05ac3c4451d138267024400117ba6ba38df5083518c2873a064101fa56f6656a59cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\47167307\xaufkfr.bat
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      Filesize

      44KB

      MD5

      9d352bc46709f0cb5ec974633a0c3c94

      SHA1

      1969771b2f022f9a86d77ac4d4d239becdf08d07

      SHA256

      2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

      SHA512

      13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\remcos\logs.dat
      Filesize

      74B

      MD5

      3e36823ec5f40e58ec8dd58deb5e26b3

      SHA1

      8cc20b3654e55ec7e5fb501a33691722205d1453

      SHA256

      4a72b40ba9dee7edf8d8446678f6c4da20a1dd22cea4c60493aa0c6784ae13be

      SHA512

      2cefdd7355eee9701df2138f918c7fb19e009121e899cc6d56fdd1224670f481b0e647f319dbafecd1f9302a56fd9015a1d81dfe14b00d488869a30e887fd9fb

      Download Submit

    • memory/1260-182-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-177-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-179-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-184-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-186-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-187-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-188-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-189-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-190-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-191-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-193-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-194-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-195-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-196-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-197-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-198-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-199-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-200-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-201-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-202-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-203-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-204-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-206-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-207-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-208-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-209-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-210-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-211-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-212-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-213-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-214-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-215-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-216-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-218-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-219-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-220-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-221-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-222-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-223-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-224-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-225-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-226-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-227-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-228-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-229-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-230-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-232-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-233-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-234-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-235-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-236-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-237-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-238-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-243-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-244-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-246-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1260-247-0x0000000000E00000-0x0000000001E00000-memory.dmp

      Filesize

      16.0MB

      Download