General
-
Target
DocumentsDOC03029314B76858448A444B4C03EEC7.exe
-
Size
2.5MB
-
Sample
231118-jvdymseb2y
-
MD5
ca136954ac61b48748d20917d53cbcf8
-
SHA1
998b242eb414a3e01152974770dd73ba4074c930
-
SHA256
0067c69cb26b7d110d44ee46cce62c7ad377fb72bd73cdc44ba4b4b4dadd5445
-
SHA512
0df61d87acc978e8a534635f518d12a1582350ce0378e1057c0f0b6c60f2b0e4aa521305e38e42d458a2fe87a5f06ba751eb502772649f63414fe5e155182282
-
SSDEEP
49152:SQBlwsJGhf+KMDMosVy+c+zM++0yvqTmhN8pEkV:SuwgwMsVy+cYv+0xwNM
Static task
static1
Behavioral task
behavioral1
Sample
DocumentsDOC03029314B76858448A444B4C03EEC7.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
DocumentsDOC03029314B76858448A444B4C03EEC7.exe
Resource
win10v2004-20231023-en
Malware Config
Extracted
remcos
RemoteHost
mybabygirl.duckdns.org:24500
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
gfgdsd-CJNDFU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
DocumentsDOC03029314B76858448A444B4C03EEC7.exe
-
Size
2.5MB
-
MD5
ca136954ac61b48748d20917d53cbcf8
-
SHA1
998b242eb414a3e01152974770dd73ba4074c930
-
SHA256
0067c69cb26b7d110d44ee46cce62c7ad377fb72bd73cdc44ba4b4b4dadd5445
-
SHA512
0df61d87acc978e8a534635f518d12a1582350ce0378e1057c0f0b6c60f2b0e4aa521305e38e42d458a2fe87a5f06ba751eb502772649f63414fe5e155182282
-
SSDEEP
49152:SQBlwsJGhf+KMDMosVy+c+zM++0yvqTmhN8pEkV:SuwgwMsVy+cYv+0xwNM
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-