General
-
Target
PO2023.docx
-
Size
10KB
-
Sample
230313-ldmkkabf6s
-
MD5
3bd45b53b7c5bb34787723820e0fdae3
-
SHA1
67d08bbc3da158e4d600d6447350e70774a0a35b
-
SHA256
219cefc8a02aa9c891d95febd308941a2f6d2a8fb5dadcb14b747bd456d56e5f
-
SHA512
c7a19b16fc5fbc1d6a68428965f2c4b295cf226f0c91aa7e91401a1c2f121d0177c030e3c3ada1ca30d5fecd8b86d0e69227170a1965c02d0cb5eff599ff80bb
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO1KPol+CVWBXJC0c3dkJfe:SPXU/slT+LO1YoHkZC9dqm
Static task
static1
Behavioral task
behavioral1
Sample
PO2023.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO2023.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://AWWSSS09d0asdas9d0qwqwSADQWDASDASDASDA9009d8qw88asd8asdASDQWCCVFSDFSDF878878787887878788@314482727/se.......se.........se.doc
Extracted
remcos
RemoteHost
top.noforabusers1.xyz:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-5DQBA4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
formbook
dcn0
ZVx68vDtAMBCwg==
oBMBvsNORkM/O/ox
Ff9pISWkm6eG4lByIspp
c2T42c6CIIF6B8xTxm9XzpVw
bvjhxRbnAC183w==
0lTttSNG4HUDNflyIspp
hPXFlstqiHA/O/ox
WLR+MeerxZ0cNn1ja+IQAYo=
IHRn4xXOVKi477zarG+ObSy7YJA=
Xhf3e+tdAC183w==
Xk0ZAezv2rWH
kngo+vBeSRN7AszNwam3Osmguuqc0MoC
a2Qp7a+E8fSw7LDjpnqEKjsRZA==
3zjy4E7+QM48wg==
YcCmqT3OUNAigVott2pBKiy7YJA=
4+SMeX1juat/5cZ1AZihcyy7YJA=
/+m7sro0OBTl3TMpCw==
i2ctEfe4//a64yklMsgS2J90
+loZ2QKGX0UWgpvErMs=
b9BNCnJWQJS8IfsR0uR3bCy7YJA=
9eiUYE0ynHE/O/ox
F2/75pOIYNg0hzOD99192J8=
Y1xOONdO105okfha33EZ2A==
qYZIIB+dfF0wp1nVWFz067hJ2/qoXEVeAA==
moQMzat7tfKyKPYs
aMZJI/NfUSSpPQUBJ8/11g==
QKMN15GjpHcpyA==
6+S1hTvphhFfoCdj6tw=
DPynhWcnZWho7a0p33EZ2A==
EXY//zDm7ej3Guwo
PSWxPYkk0SNioSdj6tw=
jv+tmhv1ySZloydj6tw=
P8GUV5BhNZflCCBBFg==
IQZ0PWog1lcVVkJYHg==
aOTCq/Cet6AdhSdj6tw=
OBzJrqYS+eac46nZo4aI84kWMEtH
kBzTkbI2LTo/O/ox
a8pwOrU/tyx93a/QrGBpXGQIfZI=
GWoC9K5Mx0GR34urFcDPyQ==
dGxKGM2FI4iAkTOD99192J8=
UqQv8Vkx7WzkCCBBFg==
NcBsPK+YmdZP0cyhY+Lrzw==
zcKbk5oK7NCgFOpa4tHv0g==
uIomFkUTzdWa
QkAF8NuWMZmnPjCFgJBa+Y1t
51w6Gw7c3NyY
IyDnsW89dXaMrAxotF8jGZc=
1s1RHCrCwI8PnVhMY+Lrzw==
zBnRazUUWCsrM5t0SEth
1z4R/XM98Wn3j1RMY+Lrzw==
h3b34yQL3cI8wg==
/+27PhUTzdWa
CO0jnOIoAC183w==
Cn8jz+pyZEfWCCBBFg==
jI4f4NnKFwoSUb4YbnkzePzLv+Sc0MoC
xZnrS1Y+5Sxv1g==
phjYsTTGW8zAMydj6tw=
v7JcJyW3x64phzOD99192J8=
tBJ+Uh3sJxYqbyvrfF6BKjsRZA==
xRTxyfuTgMhGxg==
6ceNTfir2qmQHtxWwqIrI8GQ7h/Te/A2CA==
00gVx7d5/U5soCdj6tw=
Jgvgt58H8MFLfBzTp1VZXCe2ZYg=
1NKRY1QTzdWa
ahmedo.ch
Targets
-
-
Target
PO2023.docx
-
Size
10KB
-
MD5
3bd45b53b7c5bb34787723820e0fdae3
-
SHA1
67d08bbc3da158e4d600d6447350e70774a0a35b
-
SHA256
219cefc8a02aa9c891d95febd308941a2f6d2a8fb5dadcb14b747bd456d56e5f
-
SHA512
c7a19b16fc5fbc1d6a68428965f2c4b295cf226f0c91aa7e91401a1c2f121d0177c030e3c3ada1ca30d5fecd8b86d0e69227170a1965c02d0cb5eff599ff80bb
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO1KPol+CVWBXJC0c3dkJfe:SPXU/slT+LO1YoHkZC9dqm
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-