General
-
Target
Quotation.xls
-
Size
318KB
-
Sample
240321-vsmcsach78
-
MD5
1288f0ca168aacc05101ccc904e03583
-
SHA1
1c20c0ce5de4f305a516078208fd34c1208cc0c6
-
SHA256
9bfce7f2c5ab2456772fb35a7d4d9caf02d6ae5ec0e99d304de36177c30b46e7
-
SHA512
49d6359a81c442ce4900bf067716938b35da182fc6ee853300de174ba2fc30c83804dcd69b7e8417717f44cefad439d9c143b342b0529efda58a48d25e289613
-
SSDEEP
6144:r+unhXofKY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbV6AMIQbVUGWMWxodhf2:r/hXofr3bV6AMIQbVUGa2f2omen3Hm
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.xls
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
Quotation.xls
Resource
win10v2004-20240226-en
Malware Config
Extracted
remcos
RemoteHost
shgoini.com:30902
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7XHN5V
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Quotation.xls
-
Size
318KB
-
MD5
1288f0ca168aacc05101ccc904e03583
-
SHA1
1c20c0ce5de4f305a516078208fd34c1208cc0c6
-
SHA256
9bfce7f2c5ab2456772fb35a7d4d9caf02d6ae5ec0e99d304de36177c30b46e7
-
SHA512
49d6359a81c442ce4900bf067716938b35da182fc6ee853300de174ba2fc30c83804dcd69b7e8417717f44cefad439d9c143b342b0529efda58a48d25e289613
-
SSDEEP
6144:r+unhXofKY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbV6AMIQbVUGWMWxodhf2:r/hXofr3bV6AMIQbVUGa2f2omen3Hm
Score10/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-