General
-
Target
DOCUMENT77@#$@@yyy#@#.exe
-
Size
946KB
-
Sample
240219-l8jgdscb8v
-
MD5
201947fbb912ee8c0f7eadb620188bef
-
SHA1
5842ca1cd58283eeda5b1fed41053bd05e660e62
-
SHA256
a7e9fbef84a3e14d5e801f2004d75a47032df8fbb9da9dd86071098eeaf6a2d4
-
SHA512
2a2d04a45fddeee1c301ef4d76ec9ae7a277977c500d887ce520e81f112d1a5d105052c37aee32faa7368f92904d8ebb7d12944a5083a93a9c5033898804a584
-
SSDEEP
24576:pcx2PNShI959J60rmLPOWTaUHrFAgxKFdtuw:pcxsSMKSMWYdHrFly1
Static task
static1
Behavioral task
behavioral1
Sample
DOCUMENT77@#$@@yyy#@#.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
DOCUMENT77@#$@@yyy#@#.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Patienternes/Wowserish/Biorytmeekspert/Rosenbrdene.ps1
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Patienternes/Wowserish/Biorytmeekspert/Rosenbrdene.ps1
Resource
win10v2004-20231222-en
Malware Config
Extracted
remcos
Special
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
lonjoup.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
lpereits-FZGND0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
DOCUMENT77@#$@@yyy#@#.exe
-
Size
946KB
-
MD5
201947fbb912ee8c0f7eadb620188bef
-
SHA1
5842ca1cd58283eeda5b1fed41053bd05e660e62
-
SHA256
a7e9fbef84a3e14d5e801f2004d75a47032df8fbb9da9dd86071098eeaf6a2d4
-
SHA512
2a2d04a45fddeee1c301ef4d76ec9ae7a277977c500d887ce520e81f112d1a5d105052c37aee32faa7368f92904d8ebb7d12944a5083a93a9c5033898804a584
-
SSDEEP
24576:pcx2PNShI959J60rmLPOWTaUHrFAgxKFdtuw:pcxsSMKSMWYdHrFly1
Score10/10-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Patienternes/Wowserish/Biorytmeekspert/Rosenbrdene.Unt
-
Size
48KB
-
MD5
e2afce5a93604fa3c296d870c910fa5b
-
SHA1
20d1c2841bdab28d025c68fd4992376be2542f9e
-
SHA256
03836bcfc2896a835b714eca8a21ae7f6b5bdedeedd5d3f92b916ff576402a03
-
SHA512
2c112b710a4697a29975733317a18b57d140a5656ef97e69243c547a2b727d7b1f0c8b385ccb75ee92c3c0f99cb6d3e3cfa19006e16d07fd4e11efcc94faf3d1
-
SSDEEP
768:gJj8g4er4bsk9LIF/vV03U57kmUrgmFeAKKEHwPlHcjI2WcY9g/FQtsCggjhFAmr:Oj8JeadIF/903UK6AKRHI8M2Wltn3jTJ
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-