General
-
Target
898302d6c754b36276f8414598104acb10d8797b76e86263cec172006069c6ccexe.exe
-
Size
88KB
-
Sample
231207-x3qt3aef72
-
MD5
28bedb26eebf091fd500058cec9e1d23
-
SHA1
5419ddc460642d8b12b91057ba8d8481c679a38d
-
SHA256
898302d6c754b36276f8414598104acb10d8797b76e86263cec172006069c6cc
-
SHA512
c441d9d8c749634c299c8ed73c24b2f4470def462d5ce2975ec8dbcb3d8981495687774d510a877012f09d847941a08692732bbe828341b6b6a576b239838bee
-
SSDEEP
1536:f7hcu/+CtyKcMyAFFApuSpNjOGHEIjrb2dioLKrhWWc51:lnEKis2gGttjk9SM51
Static task
static1
Behavioral task
behavioral1
Sample
898302d6c754b36276f8414598104acb10d8797b76e86263cec172006069c6ccexe.exe
Resource
win7-20231020-en
Malware Config
Extracted
strrat
jegjav.duckdns.org:2027
194.59.31.150:2028
-
license_id
khonsari
-
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
-
scheduled_task
true
-
secondary_startup
true
-
startup
true
Extracted
remcos
DAY1
195.201.79.232:2026
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Chrome
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-X2Y2NP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
898302d6c754b36276f8414598104acb10d8797b76e86263cec172006069c6ccexe.exe
-
Size
88KB
-
MD5
28bedb26eebf091fd500058cec9e1d23
-
SHA1
5419ddc460642d8b12b91057ba8d8481c679a38d
-
SHA256
898302d6c754b36276f8414598104acb10d8797b76e86263cec172006069c6cc
-
SHA512
c441d9d8c749634c299c8ed73c24b2f4470def462d5ce2975ec8dbcb3d8981495687774d510a877012f09d847941a08692732bbe828341b6b6a576b239838bee
-
SSDEEP
1536:f7hcu/+CtyKcMyAFFApuSpNjOGHEIjrb2dioLKrhWWc51:lnEKis2gGttjk9SM51
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions
-
Suspicious use of SetThreadContext
-