General
-
Target
bf7263b764e448afc9ebc0a2b1d3c5cb
-
Size
373KB
-
Sample
240311-bg7d2age7z
-
MD5
bf7263b764e448afc9ebc0a2b1d3c5cb
-
SHA1
0b424d6643fd2f8612c2716128df1cfb5e6e576d
-
SHA256
41cbe11b74100e521c478735575ad3f150c201e8bda5c3f1b2485dc9c34a60ba
-
SHA512
6dd9f97b9985d8b9399c98db7b1d75bcfd4ff16ae52486eaeb937cb8b06658e7dda2b17682828db3cbd0deef1c948b618cdaf4dd55165515caabf30d5a50dd47
-
SSDEEP
6144:Bdg5n5DJJL7XJAnY7yo0nqsJ445mgy+sk8VAX8dN4pO:6nnJHX+nO8hJB5mKD8ZZ
Behavioral task
behavioral1
Sample
bf7263b764e448afc9ebc0a2b1d3c5cb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bf7263b764e448afc9ebc0a2b1d3c5cb.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
remcos
1.7 Pro
April
137.74.176.164:1960
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
hebyd783.exe
-
copy_folder
6ytghb
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%Temp%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
345e6r7t8y9uu9776eertryuy
-
keylog_path
ApplicationPath
-
mouse_option
false
-
mutex
remcos_ltcntfbhju
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
546rt7gy8u980i9i08675e
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
bf7263b764e448afc9ebc0a2b1d3c5cb
-
Size
373KB
-
MD5
bf7263b764e448afc9ebc0a2b1d3c5cb
-
SHA1
0b424d6643fd2f8612c2716128df1cfb5e6e576d
-
SHA256
41cbe11b74100e521c478735575ad3f150c201e8bda5c3f1b2485dc9c34a60ba
-
SHA512
6dd9f97b9985d8b9399c98db7b1d75bcfd4ff16ae52486eaeb937cb8b06658e7dda2b17682828db3cbd0deef1c948b618cdaf4dd55165515caabf30d5a50dd47
-
SSDEEP
6144:Bdg5n5DJJL7XJAnY7yo0nqsJ445mgy+sk8VAX8dN4pO:6nnJHX+nO8hJB5mKD8ZZ
Score10/10-
Modifies WinLogon for persistence
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-