General
-
Target
9713464660.zip
-
Size
291KB
-
Sample
230327-pz4bzsdd98
-
MD5
dcdfb142995b6250df3632830d1b15e8
-
SHA1
de08ba21800443aa24147e9069cc1234c5f0ff43
-
SHA256
6f40097d34750d8d94cb3131e4c6643d47ea6541997ae4f18e01ef14189a988c
-
SHA512
a2e4712efc6513cad91b8a993bbf8250ca2b633a6b2889c9fde1565293cab3b4ed7f5873971196d7905f73b2ff1aa52abca223aa4fdd15e2862fe72893e7fe3d
-
SSDEEP
6144:/jtnW/+MilC/TjLVHfIuRh3pd9rWypFzYOfErZ7pqAibCcZIUzMtx0NB5WT:7tniikR/IuRR39JpFzMgPFZcx0NPw
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
INVOICE.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
RemoteHost
darren2023.sytes.net:2115
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
scs.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-3YNKQ0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
INVOICE.exe
-
Size
294KB
-
MD5
f5da0115ae4a3eb7b325a8756b1013f7
-
SHA1
7832e5c3f52a4227e49b77968b2e316a4f575363
-
SHA256
198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d
-
SHA512
7389875afb1896958043c451bf1b0f354a8052041baa595f6765ca33a35eed693d3df88eaca55ac537039aca7380a2a17dbf4829b39b7ee406012416d8a50f4b
-
SSDEEP
6144:GT4DtMmNNsXLWs9baMwEyGnTaaZOMnUivg5FLJTQhli0xk74/S:GT9XLWszTa9Mdvg5FxQXi0xx/S
Score10/10-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-