Overview

overview

10

Static

static

5

Air Waybil...pg.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2025, 16:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Air Waybill no 6979374150.jpg.exe

  • Size

    1.2MB

  • MD5

    b0c5db5da6ddac16b5e0d10541b490c9

  • SHA1

    4f5ce083d1cddf3accc4546aff8f1947398d25ab

  • SHA256

    ba07a481a7e8a35c8b0f80de7ceb81307f0efd284656bece481aa4ac4e088af9

  • SHA512

    2993c8d5dfd695771007048bef14e1a9ead4106d7a438a1a934b5af8439263448092aab6fda3f9b0976e4523a106ba52615adfda7afd8dea22d91a7f863081b7

  • SSDEEP

    24576:eu6J33O0c+JY5UZ+XC0kGso6Fa2B5P6q0yg9nd7kRMdXWY:wu0c++OCvkGs9Fa2L6q+d6Y

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

103.83.87.190:5817

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-E1OC2H

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Air Waybill no 6979374150.jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\Air Waybill no 6979374150.jpg.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Users\Admin\AppData\Local\bothsided\Vevina.exe
      "C:\Users\Admin\AppData\Local\Temp\Air Waybill no 6979374150.jpg.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\Air Waybill no 6979374150.jpg.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gunfights
    Filesize

    486KB

    MD5

    7aa47fb940ccaa5157552d47005c55be

    SHA1

    178ad4fd9ca90841f433408a2e59f82f4800d078

    SHA256

    f1ae37c0bbd9c2ac8d50d98c4bbd060e51e6704540d9c28c225178f7c0339937

    SHA512

    2672cee6b92d003a751dcf8b2db10379cf6a63e7c3efcdae99592ef762cb587be8114ed850d740ae5475b2d57693119bf2ad89f8204bbfd06ae2c86d2927d35f

    Download Submit

  • C:\Users\Admin\AppData\Local\bothsided\Vevina.exe
    Filesize

    1.2MB

    MD5

    b0c5db5da6ddac16b5e0d10541b490c9

    SHA1

    4f5ce083d1cddf3accc4546aff8f1947398d25ab

    SHA256

    ba07a481a7e8a35c8b0f80de7ceb81307f0efd284656bece481aa4ac4e088af9

    SHA512

    2993c8d5dfd695771007048bef14e1a9ead4106d7a438a1a934b5af8439263448092aab6fda3f9b0976e4523a106ba52615adfda7afd8dea22d91a7f863081b7

    Download Submit

  • memory/980-6-0x0000000001530000-0x0000000001930000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1060-18-0x0000000000C10000-0x0000000001010000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4492-28-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-29-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-22-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-23-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-24-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-25-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-26-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-27-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-20-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-21-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-32-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-33-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-34-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-35-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-36-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-37-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-38-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-39-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-41-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4492-42-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download