General
-
Target
07264199.exe
-
Size
363KB
-
Sample
230606-s6daxsfa4y
-
MD5
dee45488657ddf8345c2e3b06d7bd97a
-
SHA1
c732e1f57bbd4df5eb074adf0ade814ba0b2ecff
-
SHA256
edb595193fc312592db36cf49e9e32757868f4a10419c4ce9a89f63478bf1b1d
-
SHA512
e6ed07d586b79f034b6e1af1779e17766cd155d6a01c97947f5a094c4d01636fd4a47122cb6c14a70c17c14448b27f2869b3e74ffb0b5fc3918404410f257d66
-
SSDEEP
6144:XIw3EwpCUJ3ATRD/opXz3ekXEV7vQ8z7M4+NSMT2DTpGu47G:2UJQ5Gz/UV7I8z7za2Xpr
Static task
static1
Behavioral task
behavioral1
Sample
07264199.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
07264199.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
SowetoHost
soweto24.sytes.net:2098
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
scs.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-3QH5OR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
07264199.exe
-
Size
363KB
-
MD5
dee45488657ddf8345c2e3b06d7bd97a
-
SHA1
c732e1f57bbd4df5eb074adf0ade814ba0b2ecff
-
SHA256
edb595193fc312592db36cf49e9e32757868f4a10419c4ce9a89f63478bf1b1d
-
SHA512
e6ed07d586b79f034b6e1af1779e17766cd155d6a01c97947f5a094c4d01636fd4a47122cb6c14a70c17c14448b27f2869b3e74ffb0b5fc3918404410f257d66
-
SSDEEP
6144:XIw3EwpCUJ3ATRD/opXz3ekXEV7vQ8z7M4+NSMT2DTpGu47G:2UJQ5Gz/UV7I8z7za2Xpr
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-