General
-
Target
Angela_White_JPG.zip
-
Size
322KB
-
Sample
231122-j3l9zsbb54
-
MD5
1e39b990643671609207586826a3b9ea
-
SHA1
1d850f1ef557e47fdbce8eecc56bc4a6765189e3
-
SHA256
87472cf680b74aac4100b172a75b892b1d6c48427f6efb47bffc1902dfd6a621
-
SHA512
ac66b11d310f98a414df292fa561232f6e1b98ac80bb27865fd0ec31bd4f777235f07b2585afd9d7e9d2986f36e0f98035fd837df09fd52c52cacd4b5f65c193
-
SSDEEP
6144:M1ZqZy6ZraZWIUVBjpDL5TdivHY7L4eKpDHHV6x85/NRVyMLUVfLIImoGRTH:MfqZy69LpH5qY34e+nVE85gjpIrRD
Static task
static1
Behavioral task
behavioral1
Sample
'
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
'
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
Angela_White_JPG.vbs
Resource
win7-20231020-en
Behavioral task
behavioral4
Sample
Angela_White_JPG.vbs
Resource
win10v2004-20231023-en
Malware Config
Extracted
asyncrat
1.0.7
FUD
141.95.84.40:4291
acw2
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
remcos
KOS
141.95.84.40:1010
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
logswin64
-
mouse_option
false
-
mutex
Rmc-9GHGK3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
remcos
2023 NEW nn
snackdoom94.hopto.org:39
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-40NWT9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
'
-
Size
697KB
-
MD5
2a21115867353c3cb04732f5b175c1d3
-
SHA1
076c30b453a4c7684b116f02dc251b0b48b700f9
-
SHA256
5a406f27014327ba0a27040e03e7c106a0db28e11cf55679ef711ad8da09f6b8
-
SHA512
2bfd8a6199823a355a0945075334a4541743399503c731175c56b6f34af81cd39151d91d140a67211528e21f799c28d1f362f8e09a101b32552d1bf25738a058
-
SSDEEP
12288:m+Ep3f1vWkq0c0hjfkACwsu4Qk/CYaw+EKWM3:m+E7WUEpwsu6/CYT+EKv3
Score1/10 -
-
-
Target
Angela_White_JPG.vbs
-
Size
111KB
-
MD5
101629a8b4fcd639c67610a9e2c1092a
-
SHA1
549da348789e4629ab208a4522b6d4167349c9ad
-
SHA256
e27df88174a2ffb119da0f082a2f7eb86aa1951236c9c0fd4854418469a1ded8
-
SHA512
5e4ee43a3a1b7e624be4602572a2d642ecb7b385beaeb7c17acf66f380f5e17cbd22234ee3b18cfac15339c31b6502ac746e937f27600db1dbe84e46ec6964f0
-
SSDEEP
3072:Q03pXdSenFkCum03pvfpp03pp03pp03pA:LSeQr5
Score10/10-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Registers COM server for autorun
-
Suspicious use of SetThreadContext
-