General
-
Target
OFFER REQUEST.exe
-
Size
348KB
-
Sample
230607-l1s1vshe62
-
MD5
12f1f8b544a44c9e417a7265a4c02a4c
-
SHA1
20b172d83dcdb9974b8e222f14ea1e48eeccbfbe
-
SHA256
c4a1a8af4c1336e8e69e1914959cbf3bc4bfe5221639a163244d19fd60e8af19
-
SHA512
a462d5c3828d6fc6a40ff0dcb166abc6116008add3e8eb92be9b04ccd923c0b2abcc489eeb8b19c0805607063e76660948c9b5c985f0fff599080c94149c8acf
-
SSDEEP
6144:tIw3EwpCED/b1Myi5LQyUXme7HkSv7QFkMaTfKSzRm9C42+krMwUuDP:Aob1MyaQLmesdhgRmIdgyz
Static task
static1
Behavioral task
behavioral1
Sample
OFFER REQUEST.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
OFFER REQUEST.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
babynwaHost
callito2024.sytes.net:2097
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
ssc.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-JLXQ0I
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
OFFER REQUEST.exe
-
Size
348KB
-
MD5
12f1f8b544a44c9e417a7265a4c02a4c
-
SHA1
20b172d83dcdb9974b8e222f14ea1e48eeccbfbe
-
SHA256
c4a1a8af4c1336e8e69e1914959cbf3bc4bfe5221639a163244d19fd60e8af19
-
SHA512
a462d5c3828d6fc6a40ff0dcb166abc6116008add3e8eb92be9b04ccd923c0b2abcc489eeb8b19c0805607063e76660948c9b5c985f0fff599080c94149c8acf
-
SSDEEP
6144:tIw3EwpCED/b1Myi5LQyUXme7HkSv7QFkMaTfKSzRm9C42+krMwUuDP:Aob1MyaQLmesdhgRmIdgyz
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-