General
-
Target
a.exe
-
Size
6KB
-
Sample
230505-fz6yfage46
-
MD5
0f7b882782215a347db43e0d23faa659
-
SHA1
232b7b5d0ddaf74290eb4255df89ec9c97d10679
-
SHA256
558944fc2adfcd051a2f55cf18141d0b6e70282d51bb425e4035c09d39aac49a
-
SHA512
6943a83d12df2f1597383901b0b416d224f7499aa6163ee4aef1de89458173ac989d8fac55cb80e8ae5aada8873bee498b52eed9d105f189ae66b9b839820e43
-
SSDEEP
48:6SlzmldOWI5yAHN39fK0FplFcXJhyPFlL/J3th+kYvd4YgW3gp6cOulavTqXSfbi:FEOIQNVjrXcWD7RtwkYv1op7svNzNt
Static task
static1
Behavioral task
behavioral1
Sample
a.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
redline
135.181.11.39:33468
-
auth_value
8371c94cfa5b9230afb9ccb73536d331
Extracted
amadey
3.70
tadogem.com/dF30Hn4m/index.php
Extracted
aurora
94.142.138.215:8081
Extracted
remcos
dream
report1.duckdns.org:3380
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-3IC60X
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
a.exe
-
Size
6KB
-
MD5
0f7b882782215a347db43e0d23faa659
-
SHA1
232b7b5d0ddaf74290eb4255df89ec9c97d10679
-
SHA256
558944fc2adfcd051a2f55cf18141d0b6e70282d51bb425e4035c09d39aac49a
-
SHA512
6943a83d12df2f1597383901b0b416d224f7499aa6163ee4aef1de89458173ac989d8fac55cb80e8ae5aada8873bee498b52eed9d105f189ae66b9b839820e43
-
SSDEEP
48:6SlzmldOWI5yAHN39fK0FplFcXJhyPFlL/J3th+kYvd4YgW3gp6cOulavTqXSfbi:FEOIQNVjrXcWD7RtwkYv1op7svNzNt
-
Gh0st RAT payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Socelars payload
-
StormKitty payload
-
XMRig Miner payload
-
RevengeRat Executable
-
mimikatz is an open source tool to dump credentials on Windows
-
Downloads MZ/PE file
-
Stops running service(s)
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-