General
-
Target
mynew.bat
-
Size
49KB
-
Sample
230104-hjdcashe3w
-
MD5
f010a779fc5fa3c0d6ef8d08cf2f82c3
-
SHA1
37dec5efe2443e43a4290473b372a40bd9f494f9
-
SHA256
7361111dc12ff526cb5391edfadb0a9ce69e75ba8d12b31122b224f9644290c0
-
SHA512
b76595be308c2e5c23e1f7e578573b1e108885d868a34ae10f18756de7f27f9be1beebc31b2e8275851bfa898f1a15b758ce3f903e7c888895a7779471670db8
-
SSDEEP
768:m/7oBdu40Ozbblz1Osan4ha4j0YJDH7bzzE1k07LEHZMIXlOJFt0X495YrS8ra:aEBvHblRI4hJDHnk1dvEVwJL649O2
Static task
static1
Behavioral task
behavioral1
Sample
mynew.bat
Resource
win7-20220812-en
Malware Config
Extracted
remcos
DEC2022
retsuportm.ddnsfree.com:2404
spreadrem1.ddnsfree.com:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
EXAMPLE.exe
-
copy_folder
EXAMPLE
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
YHGFTRDE.dat
-
keylog_flag
false
-
mouse_option
false
-
mutex
HPLKVPJH-J4G225
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
netwire
febnew2.ddns.net:6655
febnew1.ddns.net:6655
febnew4.ddns.net:6655
febnew5.ddns.net:6655
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
1234
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
mynew.bat
-
Size
49KB
-
MD5
f010a779fc5fa3c0d6ef8d08cf2f82c3
-
SHA1
37dec5efe2443e43a4290473b372a40bd9f494f9
-
SHA256
7361111dc12ff526cb5391edfadb0a9ce69e75ba8d12b31122b224f9644290c0
-
SHA512
b76595be308c2e5c23e1f7e578573b1e108885d868a34ae10f18756de7f27f9be1beebc31b2e8275851bfa898f1a15b758ce3f903e7c888895a7779471670db8
-
SSDEEP
768:m/7oBdu40Ozbblz1Osan4ha4j0YJDH7bzzE1k07LEHZMIXlOJFt0X495YrS8ra:aEBvHblRI4hJDHnk1dvEVwJL649O2
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
NetWire RAT payload
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-