General
-
Target
DHL-DELIVERY.xls
-
Size
1.1MB
-
Sample
230325-rjed2afb6t
-
MD5
be84f1e6413ba0bb6ec49d35823d1595
-
SHA1
b9553cf3e10c59317911b8696a395ff8b25313e5
-
SHA256
c8d3e42842b7f455b7b98cfee659d11d43c66fce89799f40f38b1b51a7405cad
-
SHA512
78df095f3856846ba80f67397d75b417011c711ce3ba46f2d466a08799c08f84726496551eeb7f63eff7cc04d497f4b4b8305bee86b0fc9c8eba7240d5b5fff6
-
SSDEEP
24576:GLKJWQmmav30x6+MXUu9/VSP+MXUu9L3bVh+MXUu9c3bV5zkkz4C/V:GLKYQmmQ30w+MXV9tA+MXV9L3bVh+MXK
Static task
static1
Behavioral task
behavioral1
Sample
DHL-DELIVERY.xls
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DHL-DELIVERY.xls
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
First-Send
top.not4abuse1.xyz:1558
sub.not4abuse1.xyz:1558
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
rmcs
-
mouse_option
false
-
mutex
Rmc-4RNJ4J
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
20
-
startup_value
Remcos
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
Mail;Payment;Bank
Targets
-
-
Target
DHL-DELIVERY.xls
-
Size
1.1MB
-
MD5
be84f1e6413ba0bb6ec49d35823d1595
-
SHA1
b9553cf3e10c59317911b8696a395ff8b25313e5
-
SHA256
c8d3e42842b7f455b7b98cfee659d11d43c66fce89799f40f38b1b51a7405cad
-
SHA512
78df095f3856846ba80f67397d75b417011c711ce3ba46f2d466a08799c08f84726496551eeb7f63eff7cc04d497f4b4b8305bee86b0fc9c8eba7240d5b5fff6
-
SSDEEP
24576:GLKJWQmmav30x6+MXUu9/VSP+MXUu9L3bVh+MXUu9c3bV5zkkz4C/V:GLKYQmmQ30w+MXV9tA+MXV9L3bVh+MXK
Score10/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-