General
-
Target
75ef5c2c26d3ccc5719073b3a6f2e1a3124843ef91bf5b65f7afdab4a90f9d8d.exe
-
Size
474KB
-
Sample
240129-jla6dsefbn
-
MD5
25ba729a1538d68ad33fe36ca0548181
-
SHA1
1f87157d8d29b9d40b0e1ad6eb4617ba684c8f1a
-
SHA256
75ef5c2c26d3ccc5719073b3a6f2e1a3124843ef91bf5b65f7afdab4a90f9d8d
-
SHA512
86816fb6b3157e397a43828fcdc8dd7c0488ad7e634c49ecd13c12e28c0a88872f40c50287a4a01200638906a6781c6a38f6349374dc91b3c3c6f1ba5dfefbf9
-
SSDEEP
12288:6a7r+1Jt7W+FFqQ5xrW2nPD4EdaMAboDO:Fr+1T7W+7q+CCP8DqO
Static task
static1
Behavioral task
behavioral1
Sample
75ef5c2c26d3ccc5719073b3a6f2e1a3124843ef91bf5b65f7afdab4a90f9d8d.exe
Resource
win11-20231215-en
Malware Config
Extracted
remcos
2024
72.11.158.94:1604
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
vexplorers.exe
-
copy_folder
vexplorers
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-800RNZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
75ef5c2c26d3ccc5719073b3a6f2e1a3124843ef91bf5b65f7afdab4a90f9d8d.exe
-
Size
474KB
-
MD5
25ba729a1538d68ad33fe36ca0548181
-
SHA1
1f87157d8d29b9d40b0e1ad6eb4617ba684c8f1a
-
SHA256
75ef5c2c26d3ccc5719073b3a6f2e1a3124843ef91bf5b65f7afdab4a90f9d8d
-
SHA512
86816fb6b3157e397a43828fcdc8dd7c0488ad7e634c49ecd13c12e28c0a88872f40c50287a4a01200638906a6781c6a38f6349374dc91b3c3c6f1ba5dfefbf9
-
SSDEEP
12288:6a7r+1Jt7W+FFqQ5xrW2nPD4EdaMAboDO:Fr+1T7W+7q+CCP8DqO
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-