General
-
Target
FedEx AWB 8002566716536.doc
-
Size
229KB
-
Sample
210727-ydxjlns1w6
-
MD5
9c26af04ea48f7d88b95a286c66c3f00
-
SHA1
eaee1d09024ac079821084d7c19de6347e10232f
-
SHA256
44064d93545f38520fcadc58302473ea99087deb716b245fcec3d3bd78b9ba34
-
SHA512
46a0fd89002f0b6cf7f3fadfac5d5e67d7a9b2462fec21992f89267a471283a99779b57737c03f3ad92194d18ff7c7f40a5b147e0be48f457a5ce5548a7d9f77
Static task
static1
Behavioral task
behavioral1
Sample
FedEx AWB 8002566716536.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
FedEx AWB 8002566716536.doc
Resource
win10v20210410
Malware Config
Extracted
httP://SXZN.a4t.in/tasksmgr.exe
Extracted
remcos
1.7 Pro
Host
dpqw-avira.bot.nu:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
explorer.exe
-
copy_folder
windows
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_abihghbcgbxx#
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
pdf
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Targets
-
-
Target
FedEx AWB 8002566716536.doc
-
Size
229KB
-
MD5
9c26af04ea48f7d88b95a286c66c3f00
-
SHA1
eaee1d09024ac079821084d7c19de6347e10232f
-
SHA256
44064d93545f38520fcadc58302473ea99087deb716b245fcec3d3bd78b9ba34
-
SHA512
46a0fd89002f0b6cf7f3fadfac5d5e67d7a9b2462fec21992f89267a471283a99779b57737c03f3ad92194d18ff7c7f40a5b147e0be48f457a5ce5548a7d9f77
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-