General
-
Target
PS MARILN JACKET S.8 and Sticker Series.docx
-
Size
10KB
-
Sample
230502-lk9zfacc91
-
MD5
fae941100b007533cd7aead9a7155603
-
SHA1
6a434f5d9519417dfb2b408d105a7b5a04a1e8fb
-
SHA256
453e835fcebe5695f7d314712666c6541195decf8ebcb105448daab986b07370
-
SHA512
2920036a5fcd378b85d654a4b0d968b22489d02ae8bde8bd7b2bdd089555325e00d3fa68f4fb8f7e2e554ef364d354a98a864044f24fada6eb8add3217932ff3
-
SSDEEP
192:ScIMmtPYqPC7UpG/bkpbJNONtrdlJFtGxV3rY0u:SPXgqPCfIJNONtjJFtGxxrYv
Static task
static1
Behavioral task
behavioral1
Sample
PS MARILN JACKET S.8 and Sticker Series.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PS MARILN JACKET S.8 and Sticker Series.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23EXXXIIXXIXIXIXIZXIXXIZIXISSIDIDSIXIXIXIXSZXXIIXZIXIZIXIIXZIIXIZIXIXIIXXIIXSISXIXISI@392089164/3/4/%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23.doc
Extracted
remcos
First God LOVE
yousbresde.ddns.net:31895
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-J6TVLD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
PS MARILN JACKET S.8 and Sticker Series.docx
-
Size
10KB
-
MD5
fae941100b007533cd7aead9a7155603
-
SHA1
6a434f5d9519417dfb2b408d105a7b5a04a1e8fb
-
SHA256
453e835fcebe5695f7d314712666c6541195decf8ebcb105448daab986b07370
-
SHA512
2920036a5fcd378b85d654a4b0d968b22489d02ae8bde8bd7b2bdd089555325e00d3fa68f4fb8f7e2e554ef364d354a98a864044f24fada6eb8add3217932ff3
-
SSDEEP
192:ScIMmtPYqPC7UpG/bkpbJNONtrdlJFtGxV3rY0u:SPXgqPCfIJNONtjJFtGxxrYv
Score10/10-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-