General
-
Target
PRODUCT ENQUIRY #20211030.xz
-
Size
881KB
-
Sample
211030-t4exeabhcq
-
MD5
16130757a19466ebcdffe8ad74d79f77
-
SHA1
e7088b407497b864070ad663eaa72381d67feb3b
-
SHA256
58cdfe26cdb404c5dc2eef57366c8d0d10e4b2176d3a1973115b78c9981081bf
-
SHA512
c66f25ff065344318e84376b5a83e4cdb845e667428cbf7ed314f76b3ef5f334559c9220b02b602793ecf396f88dccc385a2ee74379136f588824af6ee2b6cac
Static task
static1
Behavioral task
behavioral1
Sample
PRODUCT ENQUIRY #20211030.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
PRODUCT ENQUIRY #20211030.exe
Resource
win10-en-20211014
Malware Config
Extracted
remcos
3.3.0 Pro
TMT stub
185.140.53.178:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-9B7MHK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
PRODUCT ENQUIRY #20211030.exe
-
Size
1.6MB
-
MD5
d4ab0233615eac735996a239124e9dbe
-
SHA1
eae1a6445bd76e829261323fb1718fa7402f0a7c
-
SHA256
396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
-
SHA512
446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-