General
-
Target
Photo_Eva_Elfie_Album.zip.7z
-
Size
956KB
-
Sample
220923-hv712sddf7
-
MD5
a057443ad87ac7cb0d5e1fa10115f0fb
-
SHA1
b6965ce5dceeed1b178865468858586e32f84daa
-
SHA256
224d4aca2fb5aa52b10f43f36255fe026bbb7b772c1562771a8b9978cdf605de
-
SHA512
144fc76c5bdb7121e7a3ae1ef7e5e1040313a942cf2ee01deac74cec554227610ba1daf6825aff37fb5bc7b7b77823b7c9f1275927bd5431b344412aa6f8a6a6
-
SSDEEP
24576:3XxADxr7uw3+ylBuXtS+aYjaCV8nVHVe0/+ayecwspzQ3GHHu:3XKDFu2+fXkvYjaaAVHVb+ayeDspM3
Static task
static1
Behavioral task
behavioral1
Sample
'.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
'.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Photo_Eva_Elfie_Album.vbs
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
Photo_Eva_Elfie_Album.vbs
Resource
win10v2004-20220812-en
Malware Config
Extracted
remcos
2023
141.95.84.40:3030
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
AIECWOAJOWOAWVWAV-3MOAQV
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
'
-
Size
621KB
-
MD5
60da13ec9fbd16ff328e2521e8dd4191
-
SHA1
2e0048bc0143e8586dc2d7b84c252875ab9e0e4f
-
SHA256
b101859a33b07bc3270dc58a5270e9d574f4bdc655e57ed68b7b78e93b1abf02
-
SHA512
4e9b7d7c978d19ffcbf07d734129d2588b63d530de902660fa6e21641eb0946026db12b3aeba51d63f61b5bda76b853cc94b50a8e1a37dc73fc0fe9a356cc89c
-
SSDEEP
12288:XLS5VP601MkFnLtQvD9OAftXdhzwHJem7OzwHJe1sx:X25kcJWvROAftXdlwpemIwpe6x
Score1/10 -
-
-
Target
Photo_Eva_Elfie_Album.vbs
-
Size
4.0MB
-
MD5
46dc4877fd6f2dff2449f8dfbb0e25fb
-
SHA1
d819365cdcba1ee1e8ca86014ee31a17479124e3
-
SHA256
8df0f81f4b522c8338864c4165bf9754ab91d5c130122d336fc59c20ffcf4d30
-
SHA512
5ca664e4c35682f1611fc4269b7b0c137c3f1430e50f02eb233c5e20bf7d57d2a582bef742fc96a33d09f62db42fae918752d4678314fcf66091f194f705f57f
-
SSDEEP
12288:XwwwgggLLdddiTiirJrc0INNNN4NnWMphAE7ubBrV+gTwQ00hIG2AxVliB1Tz21I:AWaiwIvbwX3Gg
Score10/10-
Registers COM server for autorun
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-