General
-
Target
a.exe
-
Size
5KB
-
Sample
230505-eqn6lagd26
-
MD5
810d22712c603f545f1f0605aca6adbd
-
SHA1
fe3f75f05358920b0f62d3d365478d0f96d2fa95
-
SHA256
8519d4ea113dd568c204eaf41c364e2191b9ef96b61cd3242901910f7e230e8f
-
SHA512
0c040727c4d147b671ab9c250784420391a0368cbd88fa08254dadef66728535f8b2682394627b3780ee637007ba9d68e853694474c6b80f346b5751e0ff769e
-
SSDEEP
48:6C7+ildOplcN39fLFpkHaoXJhyPFlL/J3th+kYvd4OU3gp697OulavTqXSfbNtm:qwOfcNVLrkHaoWD7RtwkYvVp2svNzNt
Static task
static1
Malware Config
Extracted
amadey
3.70
tadogem.com/dF30Hn4m/index.php
Extracted
remcos
dream
report1.duckdns.org:3380
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-3IC60X
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
aurora
94.142.138.215:8081
Targets
-
-
Target
a.exe
-
Size
5KB
-
MD5
810d22712c603f545f1f0605aca6adbd
-
SHA1
fe3f75f05358920b0f62d3d365478d0f96d2fa95
-
SHA256
8519d4ea113dd568c204eaf41c364e2191b9ef96b61cd3242901910f7e230e8f
-
SHA512
0c040727c4d147b671ab9c250784420391a0368cbd88fa08254dadef66728535f8b2682394627b3780ee637007ba9d68e853694474c6b80f346b5751e0ff769e
-
SSDEEP
48:6C7+ildOplcN39fLFpkHaoXJhyPFlL/J3th+kYvd4OU3gp697OulavTqXSfbNtm:qwOfcNVLrkHaoWD7RtwkYvVp2svNzNt
-
Gh0st RAT payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Stops running service(s)
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-