General
-
Target
KKI.exe
-
Size
236KB
-
Sample
220901-t7af4aade6
-
MD5
114058c333f527780ac04745dc28a4c6
-
SHA1
1e584f6ad626793272dc26d8534bd311bfa36aca
-
SHA256
62a6270be542aa819e08733e9220e2c553f6562ae6b3b57c12ad6be7ec70abf3
-
SHA512
e733f7934f988fa04f32cf468666fc2d21c2de5dc1b41211f19df6abf5e6c7c8d435d0768d6fdc57b14c2f9a2ca8d240be637f6404b06afe9ecfc7d346c24632
-
SSDEEP
3072:3FRLmrHvTaqLbItmu+2bCIMnxqY8Brf3Ul4LMEt5E1aRMNAaEHK5N/IOkj7YB1U2:VlgvTRHyJC3nxBui4g6MNAhmOO8m7We
Static task
static1
Behavioral task
behavioral1
Sample
KKI.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
KKI.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
remcos
Mekino Aug
mekremcos23.freedynamicdns.net:2397
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
os.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
mouse_option
false
-
mutex
Rmc-ZCU1S6
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
ecv
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
KKI.exe
-
Size
236KB
-
MD5
114058c333f527780ac04745dc28a4c6
-
SHA1
1e584f6ad626793272dc26d8534bd311bfa36aca
-
SHA256
62a6270be542aa819e08733e9220e2c553f6562ae6b3b57c12ad6be7ec70abf3
-
SHA512
e733f7934f988fa04f32cf468666fc2d21c2de5dc1b41211f19df6abf5e6c7c8d435d0768d6fdc57b14c2f9a2ca8d240be637f6404b06afe9ecfc7d346c24632
-
SSDEEP
3072:3FRLmrHvTaqLbItmu+2bCIMnxqY8Brf3Ul4LMEt5E1aRMNAaEHK5N/IOkj7YB1U2:VlgvTRHyJC3nxBui4g6MNAhmOO8m7We
Score10/10-
Executes dropped EXE
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-