General
-
Target
tmp/2c9e92d9ce653a74a94c2de5a8893b990d04243677cf86b29709ccc8bb13579d.exe
-
Size
574KB
-
Sample
211210-kjzawahcal
-
MD5
e2c9a309478a22bff158f6216e8e978b
-
SHA1
0acf0370b3b5de0834baa4f5d37b19adcafd93cb
-
SHA256
2c9e92d9ce653a74a94c2de5a8893b990d04243677cf86b29709ccc8bb13579d
-
SHA512
6018a492823979122bda7c471c36a412dc6b0d2354ef72831aae2a582047236cf0bed436b241c4377ef68846f5f2860fd0402ae9989153378992b43c770b8d1d
Behavioral task
behavioral1
Sample
tmp/2c9e92d9ce653a74a94c2de5a8893b990d04243677cf86b29709ccc8bb13579d.exe
Resource
win7-en-20211208
Malware Config
Extracted
remcos
3.3.2 Pro
Spoofer
79.66.202.242:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Runtime Broker.exe
-
copy_folder
temp
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
logs
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
Runtime Broker-KBEFXR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Runtime Broker
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
tmp/2c9e92d9ce653a74a94c2de5a8893b990d04243677cf86b29709ccc8bb13579d.exe
-
Size
574KB
-
MD5
e2c9a309478a22bff158f6216e8e978b
-
SHA1
0acf0370b3b5de0834baa4f5d37b19adcafd93cb
-
SHA256
2c9e92d9ce653a74a94c2de5a8893b990d04243677cf86b29709ccc8bb13579d
-
SHA512
6018a492823979122bda7c471c36a412dc6b0d2354ef72831aae2a582047236cf0bed436b241c4377ef68846f5f2860fd0402ae9989153378992b43c770b8d1d
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-