General
-
Target
7803356153.zip
-
Size
436KB
-
Sample
220803-ya2arsffbp
-
MD5
b95040e3a2574bdfb207fc7322b82d36
-
SHA1
a96cff4a22efd9c875b39cedb9e5f706ae34eb85
-
SHA256
e943c7d841ec46e786a7d2eafbc5e89329c132a4865ed1edc502be68012e94fc
-
SHA512
ec8db9c23f6beead9da504146daf8a2aedfdfb30a0c00e9bf450393f29199d775a0947f28278a3597cccb8a3473cd119179ce9fbdfca12842f67f7b13632f246
Static task
static1
Behavioral task
behavioral1
Sample
2eb38f178185eea7a7d83cf7f3d85c7ebc45d82663f37294a79bbaf6e4f7860d.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
2eb38f178185eea7a7d83cf7f3d85c7ebc45d82663f37294a79bbaf6e4f7860d.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
remcos
RemoteHost
dash.3utilities.com:2404
dash1.3utilities.com:2404
dash2.ddns.net:2404
bash.mywire.org:2404
bash1.accesscam.org:2404
dash3.ddns.net:2404
dash4.ddns.net:2404
bash2.accessscam.org:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
dashboard-AEPCOD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
2eb38f178185eea7a7d83cf7f3d85c7ebc45d82663f37294a79bbaf6e4f7860d
-
Size
796KB
-
MD5
615def171d3b415388d7e204a0c008fd
-
SHA1
0bb178878475eb4b66a701afe99b2073473051c3
-
SHA256
2eb38f178185eea7a7d83cf7f3d85c7ebc45d82663f37294a79bbaf6e4f7860d
-
SHA512
9b3e5420d1d77c163f7d4820f04131d945cb31d1d178f8fffe11745a0bd34b521d18cefbda2be2052ca6ca679096be78423fa7a3af08ddccd3d1891dee0a6aba
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Adds Run key to start application
-