General
-
Target
d73252ca8ff73716e936b3d5b35a1ff9eb9b1557d62c38b7b0d84962879aee40
-
Size
333KB
-
Sample
230313-m4j3ssaa76
-
MD5
4a246195bb27825fd930f2e3ac3da414
-
SHA1
669a3821e941bd9c100a7e104c6eb464d69f05ad
-
SHA256
d73252ca8ff73716e936b3d5b35a1ff9eb9b1557d62c38b7b0d84962879aee40
-
SHA512
f0efbcee210d3c5fc9d4ae5be43fa15fa842f447a5f8b842293fbf91e9324e2a0d6ff3e61e02d802501d1e0a40a14abe7339d1897ccb44e60f2c42c3b10704ec
-
SSDEEP
6144:uYa6G9boybyHR6afmNETTPY8PzGc732UqCjmyWRf0+vsDT9NSCbZjKa:uYo9IHR7rY8LSUqh9Rs+vAIaL
Static task
static1
Behavioral task
behavioral1
Sample
d73252ca8ff73716e936b3d5b35a1ff9eb9b1557d62c38b7b0d84962879aee40.exe
Resource
win10-20230220-en
Malware Config
Extracted
remcos
RemoteHost
top.noforabusers1.xyz:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-5DQBA4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
formbook
dcn0
ZVx68vDtAMBCwg==
oBMBvsNORkM/O/ox
Ff9pISWkm6eG4lByIspp
c2T42c6CIIF6B8xTxm9XzpVw
bvjhxRbnAC183w==
0lTttSNG4HUDNflyIspp
hPXFlstqiHA/O/ox
WLR+MeerxZ0cNn1ja+IQAYo=
IHRn4xXOVKi477zarG+ObSy7YJA=
Xhf3e+tdAC183w==
Xk0ZAezv2rWH
kngo+vBeSRN7AszNwam3Osmguuqc0MoC
a2Qp7a+E8fSw7LDjpnqEKjsRZA==
3zjy4E7+QM48wg==
YcCmqT3OUNAigVott2pBKiy7YJA=
4+SMeX1juat/5cZ1AZihcyy7YJA=
/+m7sro0OBTl3TMpCw==
i2ctEfe4//a64yklMsgS2J90
+loZ2QKGX0UWgpvErMs=
b9BNCnJWQJS8IfsR0uR3bCy7YJA=
9eiUYE0ynHE/O/ox
F2/75pOIYNg0hzOD99192J8=
Y1xOONdO105okfha33EZ2A==
qYZIIB+dfF0wp1nVWFz067hJ2/qoXEVeAA==
moQMzat7tfKyKPYs
aMZJI/NfUSSpPQUBJ8/11g==
QKMN15GjpHcpyA==
6+S1hTvphhFfoCdj6tw=
DPynhWcnZWho7a0p33EZ2A==
EXY//zDm7ej3Guwo
PSWxPYkk0SNioSdj6tw=
jv+tmhv1ySZloydj6tw=
P8GUV5BhNZflCCBBFg==
IQZ0PWog1lcVVkJYHg==
aOTCq/Cet6AdhSdj6tw=
OBzJrqYS+eac46nZo4aI84kWMEtH
kBzTkbI2LTo/O/ox
a8pwOrU/tyx93a/QrGBpXGQIfZI=
GWoC9K5Mx0GR34urFcDPyQ==
dGxKGM2FI4iAkTOD99192J8=
UqQv8Vkx7WzkCCBBFg==
NcBsPK+YmdZP0cyhY+Lrzw==
zcKbk5oK7NCgFOpa4tHv0g==
uIomFkUTzdWa
QkAF8NuWMZmnPjCFgJBa+Y1t
51w6Gw7c3NyY
IyDnsW89dXaMrAxotF8jGZc=
1s1RHCrCwI8PnVhMY+Lrzw==
zBnRazUUWCsrM5t0SEth
1z4R/XM98Wn3j1RMY+Lrzw==
h3b34yQL3cI8wg==
/+27PhUTzdWa
CO0jnOIoAC183w==
Cn8jz+pyZEfWCCBBFg==
jI4f4NnKFwoSUb4YbnkzePzLv+Sc0MoC
xZnrS1Y+5Sxv1g==
phjYsTTGW8zAMydj6tw=
v7JcJyW3x64phzOD99192J8=
tBJ+Uh3sJxYqbyvrfF6BKjsRZA==
xRTxyfuTgMhGxg==
6ceNTfir2qmQHtxWwqIrI8GQ7h/Te/A2CA==
00gVx7d5/U5soCdj6tw=
Jgvgt58H8MFLfBzTp1VZXCe2ZYg=
1NKRY1QTzdWa
ahmedo.ch
Targets
-
-
Target
d73252ca8ff73716e936b3d5b35a1ff9eb9b1557d62c38b7b0d84962879aee40
-
Size
333KB
-
MD5
4a246195bb27825fd930f2e3ac3da414
-
SHA1
669a3821e941bd9c100a7e104c6eb464d69f05ad
-
SHA256
d73252ca8ff73716e936b3d5b35a1ff9eb9b1557d62c38b7b0d84962879aee40
-
SHA512
f0efbcee210d3c5fc9d4ae5be43fa15fa842f447a5f8b842293fbf91e9324e2a0d6ff3e61e02d802501d1e0a40a14abe7339d1897ccb44e60f2c42c3b10704ec
-
SSDEEP
6144:uYa6G9boybyHR6afmNETTPY8PzGc732UqCjmyWRf0+vsDT9NSCbZjKa:uYo9IHR7rY8LSUqh9Rs+vAIaL
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-