General
-
Target
aqw.exe
-
Size
1.7MB
-
Sample
210109-6vzsalk71n
-
MD5
c4b5c5da311f94d1df0ae07b51c03f71
-
SHA1
57caade886741b41fd1766af6ebc57caee772909
-
SHA256
adb13ebc133a1e008a91f3a8e62f440eef16612cbaaa7a360a25f5a76a8a19c8
-
SHA512
42a8aa386db8a818a0a6e20592e621548b34d301a4f7a638ed94c4968548af7a45e039e779d0fbef35463df5133c6a89051492124d98c0e30321fb6c7ef6ab4e
Malware Config
Extracted
remcos
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017
Targets
-
-
Target
aqw.exe
-
Size
1.7MB
-
MD5
c4b5c5da311f94d1df0ae07b51c03f71
-
SHA1
57caade886741b41fd1766af6ebc57caee772909
-
SHA256
adb13ebc133a1e008a91f3a8e62f440eef16612cbaaa7a360a25f5a76a8a19c8
-
SHA512
42a8aa386db8a818a0a6e20592e621548b34d301a4f7a638ed94c4968548af7a45e039e779d0fbef35463df5133c6a89051492124d98c0e30321fb6c7ef6ab4e
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
ServiceHost packer
Detects ServiceHost packer used for .NET malware
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-