General
-
Target
e71210a8cb9a16fe0b777e20ab8750cf.bin
-
Size
490KB
-
Sample
230327-csa1msbc53
-
MD5
e71210a8cb9a16fe0b777e20ab8750cf
-
SHA1
16ed028a56c4a6b008f66062e574664020cf1d30
-
SHA256
a65de678bfc68fa18936e353ba96fed7f00134a30ead01a45f88e10adb33be9b
-
SHA512
6fa9b47082d9212f669563806108e682fda1fdd71b343e21fd93e2163512024d560524bf2b8ebde927035447d85ca0ce8aa925b6b216c0dcb38743b2ea3e42ab
-
SSDEEP
12288:OYyF6L25vWOfQqxa0snt/Rt/04kRVCkv2ey9bdA6NT1:OYyIKNWOYqxZstkXRVCk+B9a6NB
Static task
static1
Behavioral task
behavioral1
Sample
e71210a8cb9a16fe0b777e20ab8750cf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e71210a8cb9a16fe0b777e20ab8750cf.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
First-Send
top.not4abuse1.xyz:1558
sub.not4abuse1.xyz:1558
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
rmcs
-
mouse_option
false
-
mutex
Rmc-4RNJ4J
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
20
-
startup_value
Remcos
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
Mail;Payment;Bank
Targets
-
-
Target
e71210a8cb9a16fe0b777e20ab8750cf.bin
-
Size
490KB
-
MD5
e71210a8cb9a16fe0b777e20ab8750cf
-
SHA1
16ed028a56c4a6b008f66062e574664020cf1d30
-
SHA256
a65de678bfc68fa18936e353ba96fed7f00134a30ead01a45f88e10adb33be9b
-
SHA512
6fa9b47082d9212f669563806108e682fda1fdd71b343e21fd93e2163512024d560524bf2b8ebde927035447d85ca0ce8aa925b6b216c0dcb38743b2ea3e42ab
-
SSDEEP
12288:OYyF6L25vWOfQqxa0snt/Rt/04kRVCkv2ey9bdA6NT1:OYyIKNWOYqxZstkXRVCk+B9a6NB
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-