General
-
Target
Swift Payment Copy MT103.bin
-
Size
699KB
-
Sample
220120-nq6v3shger
-
MD5
4806b1a0b173a2ef49ff1246b0c51797
-
SHA1
4eb5a5b03acd02d971972f1c4a2c402f4319ef53
-
SHA256
587279399737ad503b89302814bd0ab5b5bf2eedb69c1a927789c823316eb5f2
-
SHA512
b0abe0c135772c9d957219ef3a448e9c7eee3565ca7d8332b4bf611eecb3a9c2a0edd91ae2c57cff29c55701eb154b4ac86f6c7e50934f057b33109ed5958a20
Static task
static1
Behavioral task
behavioral1
Sample
Swift Payment Copy MT103.bin.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Swift Payment Copy MT103.bin.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
remcos
3.3.2 Pro
RemoteHost
rambolastblood.ddns.net:6327
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
apple-OQFG03
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Extracted
remcos
RemoteHost
rambolastblood.ddns.net:6327
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
apple-OQFG03
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
Swift Payment Copy MT103.bin
-
Size
699KB
-
MD5
4806b1a0b173a2ef49ff1246b0c51797
-
SHA1
4eb5a5b03acd02d971972f1c4a2c402f4319ef53
-
SHA256
587279399737ad503b89302814bd0ab5b5bf2eedb69c1a927789c823316eb5f2
-
SHA512
b0abe0c135772c9d957219ef3a448e9c7eee3565ca7d8332b4bf611eecb3a9c2a0edd91ae2c57cff29c55701eb154b4ac86f6c7e50934f057b33109ed5958a20
Score10/10-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-