General
-
Target
anexe40.zip
-
Size
1.3MB
-
Sample
240126-q9khasgfap
-
MD5
9d5c878aaaf8e4f956e1402646e2d06d
-
SHA1
6bba2395bd3fa415a69ba03883693d8f52cfef45
-
SHA256
c40187647ed4519e1b0adca086d637cf76d05890a431343942360332818975d3
-
SHA512
c3c21bc9de4d0a0c5516fc8bd0dc60b44e2c764becdc9b7527ef939e8171381687829be273f0ffabbc0b0c6b30dd769fb58add3333d15f05d98bcb4841339f82
-
SSDEEP
24576:wJ3e7AbvxpQac1uCPRdoxLCLIZ8iOeN4kmjICWVps3wDgmbhilkG:HGxG1zPRdWmLIC1eZsbWVps3whbA7
Static task
static1
Behavioral task
behavioral1
Sample
TransportLabel_7685508907_PDF - Copy (2).exe
Resource
win10-20231215-en
Malware Config
Extracted
remcos
Crypted
172.206.61.17:55642
172.206.61.17:55746
172.206.61.17:55867
172.206.61.17:55733
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
xosa.dat
-
keylog_flag
false
-
keylog_path
%UserProfile%
-
mouse_option
false
-
mutex
mioeiasa-XMLRCS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
TransportLabel_7685508907_PDF - Copy (2).exe
-
Size
1.9MB
-
MD5
c295d1b04c08cca83884279ef5deebeb
-
SHA1
62589735b49497bfefff8f1e2994ab7bde2b05f7
-
SHA256
3c22de3eaaaa8896d5d806e8840f6c37957062519614a30bc2c1d1c4dcbfc240
-
SHA512
0ab11da7595c473aa180c95442a0e302984aa08679cf6ee023813a41de1e880b42c23ab2fd474884c511357b6296dacf60433089fbf2715a07fd2ffd8a3c5ad1
-
SSDEEP
49152:6QYedNTsjnxf2hp4XLkrhKOekUvUeudcv4aF5P0RuG:6Qpds2hp4XQrhhekUvfud+uRp
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Creates new service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-