General
-
Target
SirtakiQuote No 104-346.exe
-
Size
1.7MB
-
Sample
231012-kba83sah87
-
MD5
119764b23b4ba1669e5e3a2f001d9974
-
SHA1
d951b8ef60e3c11e0c90761fa0057aa3534df42c
-
SHA256
e540958829005866e4ecd6e7f1cdf3b5c2f063717a746d4485ff0ed62ccf9e71
-
SHA512
8c5bea8cbd88766da83d7c95bcaf3cc05b09c82def494bab1f779ffd9958d2459cd23d9ca98711386c8a4fef2ecbf4081dac62adced9a7ebda33643d1c10f175
-
SSDEEP
49152:d8mdIHHlnWrxywK5/AXx1RPIf44B81jKn/VS5pXw6Qc:d8mdIHHlnWQJKyl+Fl5Qc
Static task
static1
Behavioral task
behavioral1
Sample
SirtakiQuote No 104-346.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SirtakiQuote No 104-346.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
remcos
Crypted
ourt2949aslumes9.duckdns.org:2401
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
paqlgkfs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
ourvbpld-RBN2WW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
SirtakiQuote No 104-346.exe
-
Size
1.7MB
-
MD5
119764b23b4ba1669e5e3a2f001d9974
-
SHA1
d951b8ef60e3c11e0c90761fa0057aa3534df42c
-
SHA256
e540958829005866e4ecd6e7f1cdf3b5c2f063717a746d4485ff0ed62ccf9e71
-
SHA512
8c5bea8cbd88766da83d7c95bcaf3cc05b09c82def494bab1f779ffd9958d2459cd23d9ca98711386c8a4fef2ecbf4081dac62adced9a7ebda33643d1c10f175
-
SSDEEP
49152:d8mdIHHlnWrxywK5/AXx1RPIf44B81jKn/VS5pXw6Qc:d8mdIHHlnWQJKyl+Fl5Qc
Score10/10-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-