General
-
Target
c17c0259ca58b7412fbf9ec5a75e3ecc.exe
-
Size
158KB
-
Sample
221005-m591lsedam
-
MD5
c17c0259ca58b7412fbf9ec5a75e3ecc
-
SHA1
13d2cc140cec0774a4daeb75dbf1333cf7bdf4ac
-
SHA256
38415959c6c2be67f3c96932dbfaa903b4d650d00b003c5b59340cb692560a51
-
SHA512
e428f6355c9fa60b891091e0a629f651968651e8f641e9d7759b3e197a498c88cbc657a8821f8f7abacdf72e1624a2472fead3a0bc116d36c87713f28b9b9ebe
-
SSDEEP
3072:+8bupux+SWv5NbwHw66vW2cSkkqFHhDMTYD8WUyy7GeLNcXOh:/2vcSkkqXDjDy3LNUOh
Static task
static1
Behavioral task
behavioral1
Sample
c17c0259ca58b7412fbf9ec5a75e3ecc.exe
Resource
win7-20220812-en
Malware Config
Extracted
remcos
220928
minecraftrpgserver.com:80
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
software_reporter_tool.exe
-
copy_folder
Google
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
adbkey.dat
-
keylog_flag
false
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
9416a517bdcd8521-8QM7X6
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Google
-
screenshot_path
%Temp%
-
screenshot_time
60
-
startup_value
Google
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
c17c0259ca58b7412fbf9ec5a75e3ecc.exe
-
Size
158KB
-
MD5
c17c0259ca58b7412fbf9ec5a75e3ecc
-
SHA1
13d2cc140cec0774a4daeb75dbf1333cf7bdf4ac
-
SHA256
38415959c6c2be67f3c96932dbfaa903b4d650d00b003c5b59340cb692560a51
-
SHA512
e428f6355c9fa60b891091e0a629f651968651e8f641e9d7759b3e197a498c88cbc657a8821f8f7abacdf72e1624a2472fead3a0bc116d36c87713f28b9b9ebe
-
SSDEEP
3072:+8bupux+SWv5NbwHw66vW2cSkkqFHhDMTYD8WUyy7GeLNcXOh:/2vcSkkqXDjDy3LNUOh
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-