General
-
Target
651b0cae664c3d9e1da6d664bac308d3.exe
-
Size
420KB
-
Sample
240106-ma1hpaefc2
-
MD5
651b0cae664c3d9e1da6d664bac308d3
-
SHA1
d2bda6cd6753ef92ef069983299b6bd545f7e00c
-
SHA256
adc69083d0ebafc23b9960b44c46afd7888d08696d7a8823bf416045521e2a75
-
SHA512
a6581c1bea1ad419bc82e161b17ebc6b4cf77ac0ad985ff4cb45b41706fe738a799834d10695737ea1ac222ef2eec096bd6e93817ec6a216d77d522380742c4c
-
SSDEEP
6144:59g5p/aJJL7XJAnY7jioSgBK0Ru115xTcYeEknZJJAVAe+:5gUJHX+nOjhBq1j2AWx
Behavioral task
behavioral1
Sample
651b0cae664c3d9e1da6d664bac308d3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
651b0cae664c3d9e1da6d664bac308d3.exe
Resource
win10v2004-20231222-en
Malware Config
Extracted
remcos
2.5.0 Pro
Buddy
eastsidepapi.myq-see.com:6996
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Buddy.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Buddy-PVO134
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Buddy
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
651b0cae664c3d9e1da6d664bac308d3.exe
-
Size
420KB
-
MD5
651b0cae664c3d9e1da6d664bac308d3
-
SHA1
d2bda6cd6753ef92ef069983299b6bd545f7e00c
-
SHA256
adc69083d0ebafc23b9960b44c46afd7888d08696d7a8823bf416045521e2a75
-
SHA512
a6581c1bea1ad419bc82e161b17ebc6b4cf77ac0ad985ff4cb45b41706fe738a799834d10695737ea1ac222ef2eec096bd6e93817ec6a216d77d522380742c4c
-
SSDEEP
6144:59g5p/aJJL7XJAnY7jioSgBK0Ru115xTcYeEknZJJAVAe+:5gUJHX+nOjhBq1j2AWx
Score10/10-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-