General
-
Target
fd8616bbc2a530ca9659a3b63b0313c20920ac0c2fd3c6f3b1287a3ea490de37
-
Size
868KB
-
Sample
230922-n4hemshg43
-
MD5
299aaa766f0a359d43b651245f088e2d
-
SHA1
745a62b809c95def1da330d6f704a77ca442eee8
-
SHA256
fd8616bbc2a530ca9659a3b63b0313c20920ac0c2fd3c6f3b1287a3ea490de37
-
SHA512
e3abfaf237877e7d7bcc30df8796e48622a21278dd354e8835a8bc6649bed7a05182ef31446eecd59abaebbf5d215a999b8ce47b4581de340571a680cb5a23dc
-
SSDEEP
24576:afg6WYzFbm5VvJ4THM8Q5hntmXQCltPNDpaGH/VGUjQ:ao6WY5m5Vhm5MhtWlgGH/jQ
Static task
static1
Behavioral task
behavioral1
Sample
Приложение №1 на АИ-FOB Кавказ_сентябрь-октябрь 2023.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Приложение №1 на АИ-FOB Кавказ_сентябрь-октябрь 2023.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
remcos
Crypted
ourt2949aslumes9.duckdns.org:2401
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
paqlgkfs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
ourvbpld-RBN2WW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Приложение №1 на АИ-FOB Кавказ_сентябрь-октябрь 2023.exe
-
Size
890KB
-
MD5
5741f12af0f989bd145f21dd9a62d652
-
SHA1
10d30c251b92ecc3bc7a0e3a8e0c86b2bf484ad4
-
SHA256
f7c4c713d4596ea0b8d544916de1bb1ba87d97b4c36343056f5172b6594713a8
-
SHA512
a1e911375cbe72a8d53fff029980f3f808f6485a48869439aa9f34409124503c4d7fb568a375cdc320e4eda618503b792090334a9b6b9ccfb686bd13e4c1f7f0
-
SSDEEP
24576:eq7JcjVujvxYTHk8g55pdmlKCl99NDpKGN/VcUNK:V7uS5Gx85vClWGNNNK
-
Detect Xworm Payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-