General
-
Target
4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499
-
Size
1.6MB
-
Sample
221128-qhgmbsba81
-
MD5
0caf9f956453a97622f714c77409caaa
-
SHA1
4563ccc9a48f4b0af56fba631a764f96d72edff0
-
SHA256
4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499
-
SHA512
36b0e67f49dcc85820b4480597b7693648a00e8cbeff2525e7b64933a57ed298c986d83d36917fe4187d7d7f8fa60a694cd00075081b6c39de59283bed262b05
-
SSDEEP
24576:GBPnT4fd0x3OdiRrib/Zj/NJZtF5QURQrbdfBzUOQX6w4OK8J3XRXWz4:GBPmd014iNibNNJZtNQfrgX6wRK4Mz4
Static task
static1
Behavioral task
behavioral1
Sample
4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499.exe
Resource
win10-20220812-en
Malware Config
Extracted
remcos
RemoteHost
zoz.mastercoa.co:52814
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-KQONS1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
redline
Main
109.206.243.58:81
-
auth_value
8d4fa15b87cebd556cbb5208a3db0fdc
Targets
-
-
Target
4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499
-
Size
1.6MB
-
MD5
0caf9f956453a97622f714c77409caaa
-
SHA1
4563ccc9a48f4b0af56fba631a764f96d72edff0
-
SHA256
4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499
-
SHA512
36b0e67f49dcc85820b4480597b7693648a00e8cbeff2525e7b64933a57ed298c986d83d36917fe4187d7d7f8fa60a694cd00075081b6c39de59283bed262b05
-
SSDEEP
24576:GBPnT4fd0x3OdiRrib/Zj/NJZtF5QURQrbdfBzUOQX6w4OK8J3XRXWz4:GBPmd014iNibNNJZtNQfrgX6wRK4Mz4
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets service image path in registry
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-