General
-
Target
097127aea3fae1c74c8a32b597a30e49.exe
-
Size
493KB
-
Sample
240121-kxt83saeb7
-
MD5
097127aea3fae1c74c8a32b597a30e49
-
SHA1
c23fa33a1f723da4a2d429c32f78da1b8982d19d
-
SHA256
7eb6163c64d8a76a6ae68356a2bf76639603dff973c334ef6ef1064850e9fd9e
-
SHA512
764743b55d92d9433a1a2cd705b58afa5b78f15e0ca9b95dfcb466bd3aeb4c2af1c826c04a5501c9bf2faba2b16f3f17a4bfd3cc9058a41a35789474cf6fdb45
-
SSDEEP
12288:JRfqNm/Q2uJZ96W9lQpY8SuaPFgGjwRcdo7H1:bqNMjuJaWjepcFzjwRZV
Static task
static1
Behavioral task
behavioral1
Sample
097127aea3fae1c74c8a32b597a30e49.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
097127aea3fae1c74c8a32b597a30e49.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
Malware Config
Extracted
remcos
Special
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
lonjoup.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
lpereits-FZGND0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
097127aea3fae1c74c8a32b597a30e49.exe
-
Size
493KB
-
MD5
097127aea3fae1c74c8a32b597a30e49
-
SHA1
c23fa33a1f723da4a2d429c32f78da1b8982d19d
-
SHA256
7eb6163c64d8a76a6ae68356a2bf76639603dff973c334ef6ef1064850e9fd9e
-
SHA512
764743b55d92d9433a1a2cd705b58afa5b78f15e0ca9b95dfcb466bd3aeb4c2af1c826c04a5501c9bf2faba2b16f3f17a4bfd3cc9058a41a35789474cf6fdb45
-
SSDEEP
12288:JRfqNm/Q2uJZ96W9lQpY8SuaPFgGjwRcdo7H1:bqNMjuJaWjepcFzjwRZV
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
fc90dfb694d0e17b013d6f818bce41b0
-
SHA1
3243969886d640af3bfa442728b9f0dff9d5f5b0
-
SHA256
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
-
SHA512
324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6
-
SSDEEP
192:e/b2HS5ih/7i00eWz9T7PH6yeFcQMI5+Vw+EXWZ77dslFZk:ewSUmWw9T7MmnI5+/F7Kdk
Score3/10 -