General
-
Target
AW QUOTE 21505 HQ1-Scan-068703_PDF.rar
-
Size
679KB
-
Sample
210922-jx48lsbhh3
-
MD5
794bfcbbef15294c85c25eb815e88eaf
-
SHA1
673988accb192e692282ce99e7e96bb5f9431d6e
-
SHA256
08dea6bb572a7af97d8814d5b65a205f87e4a7e989c90aff99045698053d1a8c
-
SHA512
19f838ba9301b87e89aee1d221ca4d0c82b189e849a8f333ce0cc0fdc5df248a60ff7925e43e8f3820d26eabf6602aca629503415607b0e1d4b7923b3ba3c316
Static task
static1
Behavioral task
behavioral1
Sample
AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
Resource
win10v20210408
Malware Config
Extracted
remcos
3.2.1 Pro
RemoteHost
103.156.92.178:7006
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
windows.exe
-
copy_folder
task manager
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
AppData-XFQ8F4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Windows update
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
-
Size
1.1MB
-
MD5
8a13608bb749ecaead86683f640007ef
-
SHA1
c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d
-
SHA256
e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732
-
SHA512
adefe0c05316a015d20c7aac8a394671b32c5b0f662103e74578a1149e1b053316a355c9999d5021802c6892d74d6072093979f0c7bd7592311dc3e94d9d1d9d
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-