General
-
Target
breakdown confirmation dk transport.exe
-
Size
331KB
-
Sample
231014-cd1mracf82
-
MD5
ffb5942257739fbfae0945ac0abff87d
-
SHA1
a46905e807670eac4377a7d85d6be997bb369fa2
-
SHA256
75a14fd568ca466ad9c8ec045fa133798dc93fbc96cfc93a27bee766460ef7b6
-
SHA512
6f9a56532af9763fc7b2da78507485c511c5495438507ab70dfb1f649e4c130d005bc22790e8fed19313206f56a034c198702f69c7f06b8b3e23a117425b17d8
-
SSDEEP
6144:0VGdx6xAZFn+coaljg+P6WHxYLMMAlbV0ZIwOkaMPuLOfu+dENnnbIAtdx4hj+x+:IyZFn+itXHx7MArgaVLOW+d8nbIA+kE
Static task
static1
Behavioral task
behavioral1
Sample
breakdown confirmation dk transport.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
breakdown confirmation dk transport.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
remcos
Crypted
ourt2949aslumes9.duckdns.org:2401
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
paqlgkfs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
ourvbpld-RBN2WW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
breakdown confirmation dk transport.exe
-
Size
331KB
-
MD5
ffb5942257739fbfae0945ac0abff87d
-
SHA1
a46905e807670eac4377a7d85d6be997bb369fa2
-
SHA256
75a14fd568ca466ad9c8ec045fa133798dc93fbc96cfc93a27bee766460ef7b6
-
SHA512
6f9a56532af9763fc7b2da78507485c511c5495438507ab70dfb1f649e4c130d005bc22790e8fed19313206f56a034c198702f69c7f06b8b3e23a117425b17d8
-
SSDEEP
6144:0VGdx6xAZFn+coaljg+P6WHxYLMMAlbV0ZIwOkaMPuLOfu+dENnnbIAtdx4hj+x+:IyZFn+itXHx7MArgaVLOW+d8nbIA+kE
Score10/10-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-