General
-
Target
Enquiry MW886079 ( Flowstar.CO.UK ).gz
-
Size
549KB
-
Sample
211021-nfnazsbafq
-
MD5
4ce3bce24b7d3758843fc11e8cb0e664
-
SHA1
efafe0b720d1072da97468e935705b7a635e2ead
-
SHA256
34b348476c9948e33243898e3cae38d0831305fecb871c19d9f5519ff63ccc77
-
SHA512
5f84642d85fdb70297a307f029835998bc70ce5e33d9a6f4a02e08ebd038bbed2716a15ed7726c5a67f90648833c4d142c16d8e025289983b7fec84ef1c6497a
Static task
static1
Behavioral task
behavioral1
Sample
Enquiry MW886079 ( Flowstar.CO.UK ).exe
Resource
win10-en-20210920
Malware Config
Extracted
remcos
3.3.0 Pro
RemoteHost
hadrqlo.ddns.net:4301
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-27TUGW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
Enquiry MW886079 ( Flowstar.CO.UK ).exe
-
Size
901KB
-
MD5
c396a92cfb2646cde0b781fc5e65bc16
-
SHA1
337984712bcb8e1ed775008a104013ec171da0e9
-
SHA256
1bcb5256d3c0ac49ce2b13c2638d2a795f6cdf77591d29cb01d0b3731615470b
-
SHA512
4f6663135c21f51d63cf635c05f557aede0ac131ca4fbf3375e0a184a1530137ac3607c87b2f4eaf3fd8e5f989c908e9bc0f813f9b57df735b2c20cf03da0f8a
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-