General
-
Target
Scan Copy.lha
-
Size
699KB
-
Sample
210618-y4r6xazh26
-
MD5
74b19c9d2a2bc658ef19bfcf6cee7932
-
SHA1
932cd45e0d8dcb1a5068ae968bd41f8a8deee8b4
-
SHA256
2fd9ff04e26bbbc8f627ba5913fba33494a0ffce9117ecb6e660c03f4e79125b
-
SHA512
5a696897f66f5ff5c8644bba5556b77856ba7586f4e65e62238873b204586ced2e792b7a9682e4e156434caf580db1a3ec842fcc8a70f31b74d5406eafe6ceb9
Static task
static1
Behavioral task
behavioral1
Sample
Scan06631.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Scan06631.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
Scan Copy/Scan06632.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
Scan Copy/Scan06632.exe
Resource
win10v20210410
Malware Config
Extracted
remcos
3.1.4 Pro
RemoteHost
ramzy.duckdns.org:2005
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
telgap.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-SX86V7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.azebal.com - Port:
587 - Username:
kimone@azebal.com - Password:
$LfSkE^9
Targets
-
-
Target
Scan06631.exe
-
Size
614KB
-
MD5
0bef184e0638721ef4c4847c5131a4de
-
SHA1
791c93dcbf28eabc84d4d595a4bf51e83789a754
-
SHA256
42f088d98889d5ed46a7990cba310ef267800ea172255337e620c905afd375ca
-
SHA512
903ed52ab5c2bf5870c9f68734675dcd64ee9087f2f6b932720a3b59c324fb30e007153408f11270edea00259f1360c0f66758672556488add3dd712f96c5a20
Score10/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
Scan Copy/Scan06632.exe
-
Size
273KB
-
MD5
b174e33d5ab7f90d7164caae7453b114
-
SHA1
22c17f3cdd5819996b3c3359ec9758fecd6554dd
-
SHA256
b373e5a4e4057ab261f9f58af8b2ebe75f401fc7df1c4b5aa26d555ec2a1387e
-
SHA512
bd9b8783f37a3133ecdcdf34516a7a3984072f550bdae45d6544c22e60461e4a4e4da2cb5f175a49e172b35cd1c52d80635c4ed589c24f05a971f4f13a2ba4c0
Score10/10-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-