General
-
Target
RHOP98765434567.exe
-
Size
3.0MB
-
Sample
230329-kr54dshb71
-
MD5
3d952325df2fcee9f13e65ba3521d24a
-
SHA1
010492a6847e3ed25ea0bd21d87cc426e1136905
-
SHA256
6c2e005c4bd6e0ec6402f78c2dbf971a3853ac0dc2bbb6017f6a5e27a8e770d6
-
SHA512
53e40c3a79a8f9774b84d10cda62eba831926862f6ed2f6675895387de1fb1bd8d5c94e4d3a754ca88e5a98df7d1444984e3c16fe00ba11cdbe924a59f1fa31c
-
SSDEEP
24576:wf37Tcvq0qcNRcZt3YUJuSLdv/gD5XthTAb6xdW4DN3/0CdRNkr8knnOgZ5edT+X:YZtomOXXTAPYVQYD1jzORYfM2wHH
Static task
static1
Behavioral task
behavioral1
Sample
RHOP98765434567.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RHOP98765434567.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
RemoteHost
91.193.75.179:8780
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-6VYQMP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
RHOP98765434567.exe
-
Size
3.0MB
-
MD5
3d952325df2fcee9f13e65ba3521d24a
-
SHA1
010492a6847e3ed25ea0bd21d87cc426e1136905
-
SHA256
6c2e005c4bd6e0ec6402f78c2dbf971a3853ac0dc2bbb6017f6a5e27a8e770d6
-
SHA512
53e40c3a79a8f9774b84d10cda62eba831926862f6ed2f6675895387de1fb1bd8d5c94e4d3a754ca88e5a98df7d1444984e3c16fe00ba11cdbe924a59f1fa31c
-
SSDEEP
24576:wf37Tcvq0qcNRcZt3YUJuSLdv/gD5XthTAb6xdW4DN3/0CdRNkr8knnOgZ5edT+X:YZtomOXXTAPYVQYD1jzORYfM2wHH
Score10/10-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-