General
-
Target
d34424d4ff9030116dedad2314fabbcf.rtf
-
Size
27KB
-
Sample
230607-fejbmshd7x
-
MD5
d34424d4ff9030116dedad2314fabbcf
-
SHA1
e8f114e73f8f856483d652344b4ba9334e5b0a14
-
SHA256
828c067539368aee17656ddb7d1c95f9567d7f2bd80b876cabbeed104556f98b
-
SHA512
261455fc69be967af26b3158fa606b07045adee3009c2719005bc359568652d30566066c3e87d1d1854298de746b3de3ec5622d5c2f4287af46522eee9876018
-
SSDEEP
384:6XbGESBab/Y3lb3JBe8o6enzwWC1orexFp2L+3+FEgTrNuHbMU+DUf/wMY/K2Qeg:ofSBx3DenzwWWoafmi/+r4HbrRb2Q75
Static task
static1
Behavioral task
behavioral1
Sample
d34424d4ff9030116dedad2314fabbcf.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d34424d4ff9030116dedad2314fabbcf.rtf
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
RemoteHost
divdemoce.duckdns.org:35639
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
dtas.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-GZATCK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
d34424d4ff9030116dedad2314fabbcf.rtf
-
Size
27KB
-
MD5
d34424d4ff9030116dedad2314fabbcf
-
SHA1
e8f114e73f8f856483d652344b4ba9334e5b0a14
-
SHA256
828c067539368aee17656ddb7d1c95f9567d7f2bd80b876cabbeed104556f98b
-
SHA512
261455fc69be967af26b3158fa606b07045adee3009c2719005bc359568652d30566066c3e87d1d1854298de746b3de3ec5622d5c2f4287af46522eee9876018
-
SSDEEP
384:6XbGESBab/Y3lb3JBe8o6enzwWC1orexFp2L+3+FEgTrNuHbMU+DUf/wMY/K2Qeg:ofSBx3DenzwWWoafmi/+r4HbrRb2Q75
Score10/10-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-