General
-
Target
e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6
-
Size
754KB
-
Sample
221130-bnhn9ahg3w
-
MD5
d963ac1435b96872ea5380743976002a
-
SHA1
5f043557947581d52642d2622ea88e3d133861bf
-
SHA256
e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6
-
SHA512
24ca9faa7c4af577ee1cf5e5966968eab5a1c186eefdcb351efd59e6310103b5180ab931446c4b37f9a3ed834bd39a876585d2b8755cf49356afdb2d25ed7648
-
SSDEEP
12288:AOXBqPwNK7sb7/sn1gSp4JZQwcJ4ogRM6qLQxs8iKFhpezUQtD9jq:Te7w7En1gSp4TCYW4i8l7ezUA9j
Static task
static1
Malware Config
Extracted
remcos
1.7 Pro
Nov End
terzona2022.duckdns.org:3030
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
Windows input text.exe
-
copy_folder
Microsoft Text
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Windows Display
-
keylog_path
%WinDir%
-
mouse_option
false
-
mutex
Windows Audio
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Microsoft Sound Text
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
Username;password;proforma;invoice;notepad
Targets
-
-
Target
e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6
-
Size
754KB
-
MD5
d963ac1435b96872ea5380743976002a
-
SHA1
5f043557947581d52642d2622ea88e3d133861bf
-
SHA256
e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6
-
SHA512
24ca9faa7c4af577ee1cf5e5966968eab5a1c186eefdcb351efd59e6310103b5180ab931446c4b37f9a3ed834bd39a876585d2b8755cf49356afdb2d25ed7648
-
SSDEEP
12288:AOXBqPwNK7sb7/sn1gSp4JZQwcJ4ogRM6qLQxs8iKFhpezUQtD9jq:Te7w7En1gSp4TCYW4i8l7ezUA9j
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-