General
-
Target
malware.malware
-
Size
301KB
-
Sample
230329-mv7shafh72
-
MD5
75b23b41f36243fffc52da611b3b82d9
-
SHA1
ea627869c1a8fe8bb880bb9cf3295ab3dbd26b90
-
SHA256
d08870854a4dbb6c6e9b1e652b47bf473c3ae3276c7444d38abe5d52e8787d73
-
SHA512
3c131d58b55ad0abfa72cf6db4f364d28f43468a9ff06565709759bc26eedf61a735c57ed5a7c544f795c74baf48d77569a9d5c2c7c9db23d5369fa961b1f94f
-
SSDEEP
6144:XVuT5A5YTlJVGtI9PKwa3khbtHNjr8s8c3Hwwj+DjV8cYsEprsj6B:FzeXGtSPh6OdNjr863j+DWcnElsj6B
Static task
static1
Behavioral task
behavioral1
Sample
inv.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
inv.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
MMIRI
ndimmiri.hopto.org:2405
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-MXTD7V
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
inv.exe
-
Size
317KB
-
MD5
acce8a554e6154f61067c59535eac1c1
-
SHA1
ce196388ce5ee689312a9b34deb73508a21d64ea
-
SHA256
38f5687fad9929a8e43aea5b4917d7be22694fc8cffbf4160505a3c9f6e34df8
-
SHA512
8d8b81d772811da03fd8a38e2dd3862caea42b1dc98ffa8de4db9b436e69ea44fd23f288a3cc2d64c9c0c471f7cd8b63e30f1a9812fb03be39f4bed4a88a12d4
-
SSDEEP
6144:o7eFFxh7tYTUwPWj+Pc7LJ/WlWXsZ8FubzMJnqMbNwkFGVD4Wx4DE3H:q8FxhRYH8+0R/WlWXKbzuPNdMfxj
Score10/10-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-