General
-
Target
1.exe
-
Size
1.1MB
-
Sample
240215-qxzrfsgh93
-
MD5
69e37fcc0df26cb81fd06e5dfb260144
-
SHA1
839808ef40530e153fdb1f0fdb390b56c1982b6d
-
SHA256
44751e144b4dae403bf009e1a5461d0b7ec7b0f5e95ae6b149e0c653e4ab7b17
-
SHA512
5361c923c58330ba71f72374341543a7863223592489526f3d561a7d6f010a3a63ce6559f85474458097ebc818b77073cfb5a648c4084a95d7eaa5c31f2e860c
-
SSDEEP
24576:pRmJkcoQricOIQxiZY1ia7oOq0/WkgZ6Xw1EGBHS:mJZoQrbTFZY1ia7oOLW6A1E+HS
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20231222-en
Malware Config
Extracted
remcos
jnchinacp
jnchina.ydns.eu:1177
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-1632I1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
1.exe
-
Size
1.1MB
-
MD5
69e37fcc0df26cb81fd06e5dfb260144
-
SHA1
839808ef40530e153fdb1f0fdb390b56c1982b6d
-
SHA256
44751e144b4dae403bf009e1a5461d0b7ec7b0f5e95ae6b149e0c653e4ab7b17
-
SHA512
5361c923c58330ba71f72374341543a7863223592489526f3d561a7d6f010a3a63ce6559f85474458097ebc818b77073cfb5a648c4084a95d7eaa5c31f2e860c
-
SSDEEP
24576:pRmJkcoQricOIQxiZY1ia7oOq0/WkgZ6Xw1EGBHS:mJZoQrbTFZY1ia7oOLW6A1E+HS
Score10/10-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-