General
-
Target
076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a
-
Size
618KB
-
Sample
220502-dfswcsafe9
-
MD5
55325b6ce1861b7982b9a3e38be7e8c1
-
SHA1
f936c13014e3346c0fa88aca690e0f29276cc991
-
SHA256
076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a
-
SHA512
34d4c2a0498f2c430ff2e9049d2634b1fb49e4155b54749ba31c8dac16e7f1a87947485192d0f77ba5eae7c679040c1e047e8ea875b35b9c0142082844425593
Static task
static1
Behavioral task
behavioral1
Sample
076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
Resource
win7-20220414-en
Malware Config
Extracted
remcos
1.7 Pro
Host
Artemlok134-50915.portmap.io:50915
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
WindowsDefender.exe
-
copy_folder
WindowsDefender
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%SystemDrive%
-
keylog_crypt
false
-
keylog_file
ban.dat
-
keylog_flag
false
-
keylog_folder
LolWtf
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_igwinxzuvw
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
qTorrent
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Targets
-
-
Target
076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a
-
Size
618KB
-
MD5
55325b6ce1861b7982b9a3e38be7e8c1
-
SHA1
f936c13014e3346c0fa88aca690e0f29276cc991
-
SHA256
076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a
-
SHA512
34d4c2a0498f2c430ff2e9049d2634b1fb49e4155b54749ba31c8dac16e7f1a87947485192d0f77ba5eae7c679040c1e047e8ea875b35b9c0142082844425593
-
Modifies WinLogon for persistence
-
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
-
Adds policy Run key to start application
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Modifies WinLogon
-
Suspicious use of SetThreadContext
-