General
-
Target
Order_Information.zip
-
Size
348B
-
Sample
231123-n31vlahe77
-
MD5
546ad3a6631b95a52348f2da9069add3
-
SHA1
d0ec967ec59dd066ea73676caadc92a4b6e02f27
-
SHA256
aa641dbc9ba61f0b29a8bbb5deda6e48d53a9af403f6fcff3d65ddc3b8d84156
-
SHA512
ac28258116f95b8dfe9ae080101b80af9c2ddc17cb170a073694aafcd887f8812b1575872c7f576664e73c0332eef28e41b7a07923a44aee97fefb55a2d7b901
Static task
static1
Behavioral task
behavioral1
Sample
Order_Information.url
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Order_Information.url
Resource
win10v2004-20231023-en
Malware Config
Extracted
remcos
RemoteHost
listpoints.online:6090
retghrtgwtrgtg.bounceme.net:3839
listpoints.click:7020
datastream.myvnc.com:5225
gservicese.com:2718
center.onthewifi.com:8118
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
explorer.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-BXAQVH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Order_Information.url
-
Size
201B
-
MD5
73461871b344c75f77323047fbafd617
-
SHA1
2a7860291499b27b133fe538f792173d7fc93de2
-
SHA256
dbd04333b7af300fbe8f6843866881403b48711d6380102109dabfdad6ad0251
-
SHA512
275bc9b94ebb8797c08a75bd4f0cebd7d8bf143d73d649df612fb4c2eeae9b6ea764f4871da9fa097f0b3e74d706e4c3e8b2e80ecaf94cdfefc6f0d9be8ea2cc
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-