General
-
Target
Best price inquiry.rar
-
Size
742KB
-
Sample
230327-snf9vsga9y
-
MD5
dab70075ceb702aa47a63e91a248d154
-
SHA1
97e606d7a8c8a30b199902eb0c1d390b5743f552
-
SHA256
ef52872464a8c0cac5d8a40077c607cdebdc496f7aeae799b80b993128f233d8
-
SHA512
aad8099f202226f76f0f890b18567fabbc93fb61550ea0f6fa4a75d9753defad0e6500ea9b2674e5b05800f4427ec1b8574c28f9c288bdf9bb83836bf500747f
-
SSDEEP
12288:j60g5FXTGJ9IiPvk9URyULyNE9laVZEjbw/hPqkPK9BIQ8IoviDmK5Vd8KE9:xg5lSLIiK0794Vu0ha9BZ8Io2mG8KE9
Static task
static1
Behavioral task
behavioral1
Sample
Best price inquiry.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Best price inquiry.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
remcos
RemoteHost
darren2023.sytes.net:2115
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
scs.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-3YNKQ0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Best price inquiry.exe
-
Size
768KB
-
MD5
b5d80c839eed720a63fbc6cd47a80a9e
-
SHA1
ef4bf7a44f3f7da17798ad1be32055e359ecd90b
-
SHA256
643d6f1a9a24b68a77de03bbe2ccf63751c072976b14607bb224eda31887f2de
-
SHA512
5355d606140ad0c10d8db7bea8fe1b4a8468947fdc2605f05520ccd931f8aa1c5eb9dc0420b2efa376a9311c85c2cd12431d24a9965bd018e29f48d455fdf46d
-
SSDEEP
24576:aMwf+m50w/dByz9z+NTUv91fZ5ZM1P3A6YlBE5Gw9:aMwf0w/dsYqjfrW93AXbEN9
Score10/10-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-