General
-
Target
1.exe
-
Size
292KB
-
Sample
210826-9h5drvap4n
-
MD5
efc8835857289c3a0203ceacc6c3dc54
-
SHA1
b714743ed51d7ebde304c6ff3de1e0272a14abc7
-
SHA256
12b96d3fdf88e0f6d4aa41aefefa93563c1186566115b78a73964a045e4476d7
-
SHA512
aa3156d44079d2bbee35c3b65303f8895d783e8e21a4560a66bbfbdfd6d9c13dbe4e1db24be07660a1244b87a72bfa1136ee65ae2af3b173acca0a483e1a1c45
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v20210410
Malware Config
Extracted
remcos
2.7.2 Pro
Armonia1
adminpotalpublicpersonaswps.website:64157
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
xlogs107.dat
-
keylog_flag
false
-
keylog_folder
Runtime15
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
!27Mzcjw9@!C9i-ZHLPA2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
1.exe
-
Size
292KB
-
MD5
efc8835857289c3a0203ceacc6c3dc54
-
SHA1
b714743ed51d7ebde304c6ff3de1e0272a14abc7
-
SHA256
12b96d3fdf88e0f6d4aa41aefefa93563c1186566115b78a73964a045e4476d7
-
SHA512
aa3156d44079d2bbee35c3b65303f8895d783e8e21a4560a66bbfbdfd6d9c13dbe4e1db24be07660a1244b87a72bfa1136ee65ae2af3b173acca0a483e1a1c45
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-