General
-
Target
imagnpdf0440690129912239vistaprevia02052329503adobeplayer02304293.exe
-
Size
1.8MB
-
Sample
210111-x76t65z3re
-
MD5
5b2c784d7de1aeb2bbfcee269f138e00
-
SHA1
9948f3bf9aa8c548139c2b6c969cb90b9ace4c3a
-
SHA256
cb8642988cadd0d704adcd1025d24a0604416c9fbd92d9b74597e861c0a15d22
-
SHA512
0eaacc0d76a93db04a0ed55878fa90d30b48debe23ff0a38dcc223d1daada1f53da558b1bfec052af04e9fdffcf0b979fa18309d2dd1954ff934f6491ed4e1cb
Static task
static1
Behavioral task
behavioral1
Sample
imagnpdf0440690129912239vistaprevia02052329503adobeplayer02304293.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
imagnpdf0440690129912239vistaprevia02052329503adobeplayer02304293.exe
Resource
win10v20201028
Malware Config
Extracted
remcos
cincuentayseisrem.duckdns.org:1012
Targets
-
-
Target
imagnpdf0440690129912239vistaprevia02052329503adobeplayer02304293.exe
-
Size
1.8MB
-
MD5
5b2c784d7de1aeb2bbfcee269f138e00
-
SHA1
9948f3bf9aa8c548139c2b6c969cb90b9ace4c3a
-
SHA256
cb8642988cadd0d704adcd1025d24a0604416c9fbd92d9b74597e861c0a15d22
-
SHA512
0eaacc0d76a93db04a0ed55878fa90d30b48debe23ff0a38dcc223d1daada1f53da558b1bfec052af04e9fdffcf0b979fa18309d2dd1954ff934f6491ed4e1cb
Score10/10-
Modifies WinLogon for persistence
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-