General
-
Target
Scandoc223.7z
-
Size
1.6MB
-
Sample
231128-cmt7bsed78
-
MD5
2a265b9c066417b25da375bd5c24f80a
-
SHA1
4d567644dc578a361ef11ae2608ffbae8d5035c9
-
SHA256
06f9fcebf04bd66784deac0850eba11825eab3340cd6903a5484fc09b6b6628e
-
SHA512
c3e24ab94cc8fe701f413fc972abf017bcb5b56fb5e6775800f37e51c3cb285bf7563ea24e10336aaf1b39d13ed7b14a11e5cc5108aca744380d8dccba1d56d3
-
SSDEEP
49152:fsevbHozCKAmcKuo3gYLdth0nLQ7FgY4RPjSmAdwx2X:kKMCKA5KZ37t+8iY4wnWA
Static task
static1
Behavioral task
behavioral1
Sample
Scandoc223.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Scandoc223.exe
Resource
win10v2004-20231127-en
Malware Config
Extracted
remcos
babbalog
mxzaa.duckdns.org:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
babaa
-
mouse_option
false
-
mutex
Rmc-17YJIC
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Scandoc223.exe
-
Size
2.2MB
-
MD5
b4d1178b1f8921d054f49d4d8028aa21
-
SHA1
6866038be6243a96fa92320dd7986371de4a1f02
-
SHA256
078d6702680b6e39f3d6062dac3b1477e71667f12dc0ea3c73a0446f16731af8
-
SHA512
6476f04a366d3c65ebf4a949aff64eae13e382cf701bc36299112b2d3b12e8faf92d250870bdb393159de93af258adfe3995435c0f74e561b8345c519e53cf44
-
SSDEEP
49152:JWPpH8yc0/wU2lpe63ZrxKrVEbRIqiPt41PFehg1mQmPoE:JCpcyV/wjpdZrxEVEtI14TqnLPoE
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-