General
-
Target
878dbdcd93fa8a501ad8ff5e798ca60e004f89af453346a09b37a0d5146bc37a
-
Size
1.1MB
-
Sample
210727-5pj3dyxyvs
-
MD5
e1a8c1a7b463efea24a2c441e644a6a8
-
SHA1
9d7cfbc4a248bfcc2d01069d8da3d41f4ab90e66
-
SHA256
878dbdcd93fa8a501ad8ff5e798ca60e004f89af453346a09b37a0d5146bc37a
-
SHA512
6850d795caa0ac3272bb6b8e754b34ace43d284d9761e51b46a4426a0c437e00c8a527a3587bb4038eb6494a9ed2f95a755d0f6a4f6d74563d66b426144cf5bf
Static task
static1
Behavioral task
behavioral1
Sample
Pagos-133, 195 & 285/Documento de Pago/Pago-133.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Pagos-133, 195 & 285/Documento de Pago/Pago-195.exe
Resource
win7v20210408
Malware Config
Extracted
xloader
2.3
http://www.northriverlawns.com/q3t0/
xn--n8jh0ox33v9th.club
realestateactiongroup.com
theblackcottage.com
iptvfresh.com
firstseviceresidential.com
enhancemarketingsolutions.com
matchawali.com
lockedselfstorage.com
laurencervera.com
waffleicionados.com
ryanplumbingandmechanical.com
mahalabartlemathiassen.com
enter-flowers.com
berlinclick.com
pop.direct
dangeranimalsfounded.press
sweetwhiskerscreamery.com
acaciamultimedia.com
thejoyfulmark.com
bspceducation.com
1933ejaniceway.com
xn--infus-fsa.com
monumenthomes18.com
aiaipot.com
jenole.com
lvvmall.com
woodriverdelivers.com
cunerier.com
ztxwnqe.icu
bulletraces.store
qwgkj.com
painloss.online
kutyc.com
hitbars.space
yoursimplepropertysolution.com
jiuzuofang.com
mercadovdp.com
mentorlawgroup.com
myfoodylife.com
growthmindsetactivator.com
pussy888-pussy888.com
boozateria.com
binklo.com
thecarmasseur.com
aura-tic.com
protonselangorkl.com
inapickle.world
decktwelve.com
supasaj.com
domentemenegi57.net
aquifestas.com
liusco.com
andrewsteelsells.com
sppeconsult.com
rehabrunrate.info
fisherstransmission.com
hgai168.com
mattspears.com
ouchiworks.net
acbjewellery.com
lakesview.estate
bedrocktools.store
mecanico.guru
tribkart.com
Extracted
Protocol: smtp- Host:
smtp.azebal.com - Port:
587 - Username:
kimone@azebal.com - Password:
#*ehEFidm0
Extracted
remcos
3.1.5 Pro
RemoteHost
ramzy.duckdns.org:2005
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
agent.exe
-
copy_folder
Remcos
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-RV1M2P
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
Pagos-133, 195 & 285/Documento de Pago/Pago-133.exe
-
Size
423KB
-
MD5
42cfb7889c4a5fb1e3ab405d6749ff5c
-
SHA1
a652bb67bb18c540b8b730f8ec82557fc3f9e4cd
-
SHA256
f68c7bdc06b19a327f1428383d0df7b73158abb5604f2368f04233ba0020953c
-
SHA512
3bc5864d22bfd533c53df4b59f7e458c6334e5fdaab48ef35b8abc2f7d8d63f884a672e0b35bc9a851a080995ba084fd9dcdc40a590c86c83141dbdce958a20b
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-
-
-
Target
Pagos-133, 195 & 285/Documento de Pago/Pago-195.exe
-
Size
467KB
-
MD5
fd8c8b6a75beb812171a759eb586a9cd
-
SHA1
3803aaa0d31603efa2ae699c19131c46d0b1edd3
-
SHA256
453f04cce9aec338600473b9b81fc009ca69e899e2c5e9c4778cb5fa9caf36bc
-
SHA512
b12c0b63fc50d3693c9a4ad50492279850c8e1ba96ac5013ac8fe04da8a0f4a1e7de3ad3909d57fa66e4ac25f4efc8800d75287ae461242f098b05bce09489d4
Score10/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Pagos-133, 195 & 285/Documento de Pago/Pago-285.exe
-
Size
909KB
-
MD5
9768933afbf8fc3321fabe7ef5b8b140
-
SHA1
33c36facdb8b28dd8f63c86c7c65af9899203212
-
SHA256
b06ee4f0f1e474a53678998bb8c66b7e8b516b56ee017915963f09821bc55ca4
-
SHA512
7066f5ac68ff7a6e622d98f3caf2cab5c3484748ffd188cd875cf632c9da4f9bf4592a883a7abffa88609bb0b7fde8bbf0f4381d023edb5df50b59a6488edfdf
-
NirSoft MailPassView
Password recovery tool for various email clients
-
Nirsoft
-
Xloader Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-