General
-
Target
PO-0927902-27.exe
-
Size
1.5MB
-
Sample
231213-nqzf1acadp
-
MD5
efd90dc18ab8b704acc723db684cc55e
-
SHA1
f8bf895f8f2ab82ccf8b2c0ed23f3fe8845d6fb0
-
SHA256
d715183696f33d61192d9c7815b099ccea321a0a734bbec82c2963dbc1b37b42
-
SHA512
7a74f73f45622a4c03ceca98a63cc3442e004515b9fde24c227b8697683852b71c5a4e311e1627ca5453d7628ea9d9950369af1fd975159da839c4b839e4607a
-
SSDEEP
24576:cpbbeAR9HJiAO7eZ3bXfkGSZr/QTopkgxKJYiTPwQaN:cpyAueZ3bnSZr/QTukKiTPXaN
Static task
static1
Behavioral task
behavioral1
Sample
PO-0927902-27.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
PO-0927902-27.exe
Resource
win10v2004-20231127-en
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:45070
127.0.0.1:52707
172.245.208.30:52707
172.245.208.30:45070
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-2NCCY9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
PO-0927902-27.exe
-
Size
1.5MB
-
MD5
efd90dc18ab8b704acc723db684cc55e
-
SHA1
f8bf895f8f2ab82ccf8b2c0ed23f3fe8845d6fb0
-
SHA256
d715183696f33d61192d9c7815b099ccea321a0a734bbec82c2963dbc1b37b42
-
SHA512
7a74f73f45622a4c03ceca98a63cc3442e004515b9fde24c227b8697683852b71c5a4e311e1627ca5453d7628ea9d9950369af1fd975159da839c4b839e4607a
-
SSDEEP
24576:cpbbeAR9HJiAO7eZ3bXfkGSZr/QTopkgxKJYiTPwQaN:cpyAueZ3bnSZr/QTukKiTPXaN
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-