General
-
Target
Order#029123.exe
-
Size
1.7MB
-
Sample
231121-lcg9fsde65
-
MD5
1e57923619d0aa1b174a11b5c455ffc8
-
SHA1
90adcf20ec0ff6b4906a7600b76c76780704f306
-
SHA256
06df9938eb1faaf4c5862a64273998b15201a83e5a46842cd0067a50eb964f4b
-
SHA512
5260f75fc92eeec133d622c9c00e5371034b0db7d23696649cea95ea6025bd25033d229db07f26bf404845222f8d4c8634d17406be4157976bbe4b57b4e8cc43
-
SSDEEP
49152:bZAtX8IxTqh0eJa3DZEe9sRuCVCW49MyqChsQ:bZmXX8Za31CuCcxMXC+Q
Static task
static1
Behavioral task
behavioral1
Sample
Order#029123.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Order#029123.exe
Resource
win10v2004-20231020-en
Malware Config
Extracted
remcos
NOVEMBER
suntit.ddns.net:3355
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
sfnmccyh-R1OQ9B
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Order#029123.exe
-
Size
1.7MB
-
MD5
1e57923619d0aa1b174a11b5c455ffc8
-
SHA1
90adcf20ec0ff6b4906a7600b76c76780704f306
-
SHA256
06df9938eb1faaf4c5862a64273998b15201a83e5a46842cd0067a50eb964f4b
-
SHA512
5260f75fc92eeec133d622c9c00e5371034b0db7d23696649cea95ea6025bd25033d229db07f26bf404845222f8d4c8634d17406be4157976bbe4b57b4e8cc43
-
SSDEEP
49152:bZAtX8IxTqh0eJa3DZEe9sRuCVCW49MyqChsQ:bZmXX8Za31CuCcxMXC+Q
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-