General
-
Target
sam.exe
-
Size
1.8MB
-
Sample
240131-jn8jnsfff8
-
MD5
bdd9f01d55b21f77f160ff1ef458f1ba
-
SHA1
eb032bea83d9f31a66de45461c486cebc4c16da2
-
SHA256
94260b8e095f80b625c7d948d68316c27d001b614db45f6993570685e3bb9d88
-
SHA512
3e4e76c472da0f7f760c4d9b1f0e909082408b9edf64d7894a1e3d4be28d261d2ecc4bb6cbd6ad9f29fda36b60760a2c8ec0f44dd9a3b251254e08d21fa46005
-
SSDEEP
24576:g7+dhTZPoW+yd+NM//vHQqlTHl4Vb24WX3k7wXTz8QGFUZfM+7Dfavrjnpir0gOf:gcP7HHQU72UHk7c7mvrq0gOP2QJRWuv
Static task
static1
Behavioral task
behavioral1
Sample
sam.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
sam.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
remcos
JAN 28
suntit.ddns.net:1992
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
xbzmxnz-VOHP2H
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
sam.exe
-
Size
1.8MB
-
MD5
bdd9f01d55b21f77f160ff1ef458f1ba
-
SHA1
eb032bea83d9f31a66de45461c486cebc4c16da2
-
SHA256
94260b8e095f80b625c7d948d68316c27d001b614db45f6993570685e3bb9d88
-
SHA512
3e4e76c472da0f7f760c4d9b1f0e909082408b9edf64d7894a1e3d4be28d261d2ecc4bb6cbd6ad9f29fda36b60760a2c8ec0f44dd9a3b251254e08d21fa46005
-
SSDEEP
24576:g7+dhTZPoW+yd+NM//vHQqlTHl4Vb24WX3k7wXTz8QGFUZfM+7Dfavrjnpir0gOf:gcP7HHQU72UHk7c7mvrq0gOP2QJRWuv
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Creates new service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1