General
-
Target
06102023_1233_2230105.cab
-
Size
529B
-
Sample
231006-e6te9aha4x
-
MD5
a58e1362c45775cb09dd58e5a9a54495
-
SHA1
660315e7a38b99acd9af75ccb8d9cc4affdb7abb
-
SHA256
ba5681f45c2a491ddf97f8439be7cf606a3650590fc21918516b4b3fa683b1b8
-
SHA512
88ea0e0750b9b910113092df6ea9615e4a51ae60e5472ebb9ab6e165a0dd29317b8f446c75f5b9ee85b6973de5051d5d628c678a4bbe541dbdd694e72b05a65d
Static task
static1
Behavioral task
behavioral1
Sample
2230105.vbs
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2230105.vbs
Resource
win10v2004-20230915-en
Malware Config
Extracted
remcos
EU
tornado.ydns.eu:1972
orifak.ydns.eu:1972
rdpown.ydns.eu:1972
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
RmgDEfdfdef-3FSSYH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
2230105.vbs
-
Size
884B
-
MD5
fbbe9c432bd57ec2999ed6c59f56e9fe
-
SHA1
50a7227e75f3dbc73f2bbcc81798612fd7222868
-
SHA256
73709402a093f4b559532f016cb0c7f8b7bc29b413dc3321a79f5a5a38b81c44
-
SHA512
83805182c4588d089d4748143f093d1e48e5a1545c3deb15b1ffb4982d849868cbaf4ebe57d045513fad08b3cb74facd4b64d7680ac223db68711474d1fc3b03
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-