General
-
Target
bb325a1a27e210b505fc7b7844424aebd14d2b30c819ce8abb0603df520d3a82
-
Size
439KB
-
Sample
240417-qd9gjsgg34
-
MD5
9f4cbbbf4663b914b37c5aacf7431872
-
SHA1
c52788fbd46d1b334757ab31d794bc5cabd3fa22
-
SHA256
bb325a1a27e210b505fc7b7844424aebd14d2b30c819ce8abb0603df520d3a82
-
SHA512
d6d3792ec2232bc686374b521444cb151b666a5deac33dabf1fe218faede34d0dbb8579f19464a8a4f16d54952ba371b8b23f099d7b31fa7fac2c4dd4f068adc
-
SSDEEP
12288:DJDM/Ima7YCW72K5roiAn+pR7KsrfkSF64Th:D1q7wm22ro+pR2qfkwb
Static task
static1
Behavioral task
behavioral1
Sample
a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Reservebeholdninger.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Reservebeholdninger.ps1
Resource
win10v2004-20240412-en
Malware Config
Extracted
remcos
GRACE
eweo9264gtuiort.duckdns.org:35966
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
ghyhne.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
gtsyhbnj-ZGGA79
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410.exe
-
Size
692KB
-
MD5
0613b5c6e1cbce2a95749aad0f66d0a5
-
SHA1
7efd22ff2aeed3bbe316bf99126b6934da672128
-
SHA256
a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410
-
SHA512
e00bd747a765de4f07b162b85f3a9d0f054155fd48dc6fa08658d8e3a7b45403664943958a3dc3b4bcf67a2c59f2f6fddc94245a5c97d164099379dfdc73307d
-
SSDEEP
12288:Hpwiapd/PNMdUhTvaqOyXudHs+feJOgxQN08QbXyTTFakU5zxmRgZYqMC:HauFPfeQdQbX4FytdZnMC
Score10/10-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Reservebeholdninger.Dak175
-
Size
58KB
-
MD5
a687f6d2ecff91aee4bd9e4d16a35089
-
SHA1
d2666e69bc1455afb305dc880889acedbd0fab03
-
SHA256
9667fc1a9915b7e9b53ec8d2d8711bf4855ca01420538e152e6f4624db54436c
-
SHA512
284b000a92f44c171188bf540f5fb36b564c0fbd381d548cd3cffc74efc43e8acdf12d7db2da4228d1bbcde1658c3136d989b9f0c70bcd1ecbae8276cba1c759
-
SSDEEP
1536:nEKsdqJnD8vjXSYoDO27FaOwfbUiemRLlvsbeeF5q2GY6E/0k5pS:nnsdqJD8vjXSY67F1wDUANuvN5s
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-