General
-
Target
22f0ac97de0f5dd3d4a95b9ba14684a5.bin
-
Size
860KB
-
Sample
230922-bldyaade43
-
MD5
70607533660d3988858923e6c7dcbac4
-
SHA1
81d62f4972d109e9950251e746213c5b9401e65b
-
SHA256
f90bc2429f21b0f1eb58a81330c6a627a3f6cace2189babc00f5bb4e2853448d
-
SHA512
11d90e3e56aec489168a63b47d9fe99277caa43adc174a4670589d9a83452cc2dd21678c2865ebfce476a98fb75bc2efe62fd3cf1fa93e1b616330be3e8c473b
-
SSDEEP
24576:8yRNydMK+NuadRk6+CS9iCVddwIHfYbTDm38:Vh5rRk6RS9iCqE0DmM
Static task
static1
Behavioral task
behavioral1
Sample
80407312227a80e31ac1d171f2d9c8fb31ee16fc8d089d4c861d53b34e6630d2.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
80407312227a80e31ac1d171f2d9c8fb31ee16fc8d089d4c861d53b34e6630d2.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
remcos
Crypted
95.214.24.210:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
ourytgbh.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
puestodg-TE5TIH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
80407312227a80e31ac1d171f2d9c8fb31ee16fc8d089d4c861d53b34e6630d2.exe
-
Size
882KB
-
MD5
22f0ac97de0f5dd3d4a95b9ba14684a5
-
SHA1
8c79409bda7b2bcc4eb418494bf0904048ecb316
-
SHA256
80407312227a80e31ac1d171f2d9c8fb31ee16fc8d089d4c861d53b34e6630d2
-
SHA512
f1eda7b0ce1fce5edbfec10a01f3c072de5f035a773fc635c29eee67fcb1ed3eb4795007722457ae12cb0d4f9f5a1ad9d809f7eed758b312087644ae6a10b9be
-
SSDEEP
24576:eq7JcjVuJlRAPpmZsWpdmlKK99NDpKGN/VcUN/:V7uEqisWvKWGNNN/
Score10/10-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-