General
-
Target
FACT09865456000900[1].exe
-
Size
865KB
-
Sample
240406-rmr5ascb7y
-
MD5
1b10d3892be9b8ec9321453186a37807
-
SHA1
30ebf57646c9f614e332cc8d91652ad9f6f9cda2
-
SHA256
ae39d4665f3d31c1fe4f380c446519d4bb25314267c9c2a61605d2313a76d5b7
-
SHA512
2528b47115e96c434b02e70c5997d86cd7f31e178a0883627caa0577b32961fc4ef1a4ce32f5af6aeda37ea5bcf5e65749d6c0f532955133e1a3bc823093a7c4
-
SSDEEP
24576:118acXroMvoMpaUkd72Ez0QjZe6y/+0y:1Sx2572Q7jI68
Malware Config
Extracted
remcos
RemoteHost
107.175.229.139:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-TLPQMO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
FACT09865456000900[1].exe
-
Size
865KB
-
MD5
1b10d3892be9b8ec9321453186a37807
-
SHA1
30ebf57646c9f614e332cc8d91652ad9f6f9cda2
-
SHA256
ae39d4665f3d31c1fe4f380c446519d4bb25314267c9c2a61605d2313a76d5b7
-
SHA512
2528b47115e96c434b02e70c5997d86cd7f31e178a0883627caa0577b32961fc4ef1a4ce32f5af6aeda37ea5bcf5e65749d6c0f532955133e1a3bc823093a7c4
-
SSDEEP
24576:118acXroMvoMpaUkd72Ez0QjZe6y/+0y:1Sx2572Q7jI68
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
ModiLoader Second Stage
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-