General
-
Target
8279478571.zip
-
Size
692KB
-
Sample
221103-st5jmsebcn
-
MD5
0a36838ccafa9286678c1790df105fb1
-
SHA1
8b67c45cc532d03b5596bea4edbc80f5b4039495
-
SHA256
8a0a6222211f0a83491ab63a17e31dd91567d51b2547009eaabbbd30a23fd696
-
SHA512
02919f1be1e8799f605676c89bf049314fff85f904e1d2f3c53633b2bc98f2e84338871cdf8fd854ef8410f1588920530ad96cd61c25e5d61d5830e6607e1177
-
SSDEEP
12288:pvNCr8OoUzYbEmnb66YwxhAmxU7G6vrgOnsCE8IGlgku7tgSyaCBBSW0K:pALYbnO6Bhl6vrgO02Zu7tKnSWj
Static task
static1
Behavioral task
behavioral1
Sample
c5706b81a1d2ee066776d358fe683c9cbf853ef3fb0ef0f8a7d86b0f84ff3044.xlsx
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c5706b81a1d2ee066776d358fe683c9cbf853ef3fb0ef0f8a7d86b0f84ff3044.xlsx
Resource
win10v2004-20220812-en
Malware Config
Extracted
remcos
XP
xpremcuz300622.ddns.net:3542
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
oos.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Remcos-MMP2I7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
kkl
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
c5706b81a1d2ee066776d358fe683c9cbf853ef3fb0ef0f8a7d86b0f84ff3044
-
Size
694KB
-
MD5
259f46d30a2b6c8da678ce7fe4c3c679
-
SHA1
d9a430f7ff1e8b0ee20f80b4299e4b99776732c0
-
SHA256
c5706b81a1d2ee066776d358fe683c9cbf853ef3fb0ef0f8a7d86b0f84ff3044
-
SHA512
ec5ce338192c414fd79a1c0c936b774c92ddf87e1d7aa06fc20a2571eb006675b74101ddec7b6e5eea95298e1a1a3279a89037a4a35699cfb51159d071e759eb
-
SSDEEP
12288:mZknhVXxqZDzMqkOm4jsEUxkGpv2NhmLCE8XPQQkdH7pX4s2z1p4db8fdhQS:maTMI944EUxkyAhKC75ybpI9z0b+d+S
Score10/10-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-