General
-
Target
FP-Trading_PO240001.exe
-
Size
1.1MB
-
Sample
240130-hysqjacdem
-
MD5
1054af75495448aff0b28888fbfd2e25
-
SHA1
807a8f994eccd974baa9aadd1809b8b37ddea9eb
-
SHA256
43e06682b919ac1e1ed1a3093df3a0f7d261e424ba2839243fa03f4ae2cedb75
-
SHA512
7a338e7bbeb1728a7f552782f230b3f7b53eabfc891111b60f0f3c9b6b3e01fe8653cc87b298b45d9caa077ade8ca23a92fe09cbf9b90f1f47f294cc3b7949c3
-
SSDEEP
24576:bk4u02ahnCl3+ijHXadOUFeAxIsR9+6EpO:QuebXadOUvII
Static task
static1
Behavioral task
behavioral1
Sample
FP-Trading_PO240001.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
FP-Trading_PO240001.exe
Resource
win10v2004-20231222-en
Malware Config
Extracted
remcos
24
162.218.122.24:5707
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-A49MY7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
FP-Trading_PO240001.exe
-
Size
1.1MB
-
MD5
1054af75495448aff0b28888fbfd2e25
-
SHA1
807a8f994eccd974baa9aadd1809b8b37ddea9eb
-
SHA256
43e06682b919ac1e1ed1a3093df3a0f7d261e424ba2839243fa03f4ae2cedb75
-
SHA512
7a338e7bbeb1728a7f552782f230b3f7b53eabfc891111b60f0f3c9b6b3e01fe8653cc87b298b45d9caa077ade8ca23a92fe09cbf9b90f1f47f294cc3b7949c3
-
SSDEEP
24576:bk4u02ahnCl3+ijHXadOUFeAxIsR9+6EpO:QuebXadOUvII
Score10/10-
Detect ZGRat V1
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-