General
-
Target
IMG-PO-SCAN-DOCUMENTS-00HDU12.exe
-
Size
1.3MB
-
Sample
201230-d23lpafhsn
-
MD5
7b6d7d2361883cbb2aa79225773e069a
-
SHA1
7f537d09deb9a10d4786db1194e5e3d14bf39aac
-
SHA256
0b8fd92f9a070ff1914f4c71c2f684c9a877993b051af080ee198bccedf209ad
-
SHA512
eaa90bdc190d8c0a727242627f10c41d6aa86de33ce81e6b0dfbcb616f4b5190441b368c68f63d20e764b47484064cbdf285a4f99ead548352ffd849f4703990
Static task
static1
Behavioral task
behavioral1
Sample
IMG-PO-SCAN-DOCUMENTS-00HDU12.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
IMG-PO-SCAN-DOCUMENTS-00HDU12.exe
Resource
win10v20201028
Malware Config
Extracted
remcos
www.alldatalogs.xyz:2404
Targets
-
-
Target
IMG-PO-SCAN-DOCUMENTS-00HDU12.exe
-
Size
1.3MB
-
MD5
7b6d7d2361883cbb2aa79225773e069a
-
SHA1
7f537d09deb9a10d4786db1194e5e3d14bf39aac
-
SHA256
0b8fd92f9a070ff1914f4c71c2f684c9a877993b051af080ee198bccedf209ad
-
SHA512
eaa90bdc190d8c0a727242627f10c41d6aa86de33ce81e6b0dfbcb616f4b5190441b368c68f63d20e764b47484064cbdf285a4f99ead548352ffd849f4703990
Score10/10-
Modifies WinLogon for persistence
-
Turns off Windows Defender SpyNet reporting
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-