General
-
Target
82d06e2792747b46de0d380084e555b5351701543b1eb13289a0ba199c09797a
-
Size
439KB
-
Sample
240417-qjx1psae9t
-
MD5
eff4e732cc6af6bde9706f6b76191107
-
SHA1
8a31fddb8dce807edd229008f80553dda9d2670c
-
SHA256
82d06e2792747b46de0d380084e555b5351701543b1eb13289a0ba199c09797a
-
SHA512
8a0cc98feff874f360501b5998180bee302d86bc5cf0b85553113edc30d92d7047390ceea9c89c8c643b8b483ece30e3083ff07fe4d7e0a05e69b2635fca8bf7
-
SSDEEP
12288:3BiEw9u4L5zVxhwvg1WevOAmbsOofq9wO:3/+xLbFxv9mwOoC9x
Static task
static1
Behavioral task
behavioral1
Sample
a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Reservebeholdninger.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Reservebeholdninger.ps1
Resource
win10v2004-20240412-en
Malware Config
Extracted
remcos
GRACE
eweo9264gtuiort.duckdns.org:35966
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
ghyhne.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
gtsyhbnj-ZGGA79
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410.exe
-
Size
692KB
-
MD5
0613b5c6e1cbce2a95749aad0f66d0a5
-
SHA1
7efd22ff2aeed3bbe316bf99126b6934da672128
-
SHA256
a7ab5280efdd1f09f7c15daafa507b5a889e30cb9bfa0060ae5cf29a64c9d410
-
SHA512
e00bd747a765de4f07b162b85f3a9d0f054155fd48dc6fa08658d8e3a7b45403664943958a3dc3b4bcf67a2c59f2f6fddc94245a5c97d164099379dfdc73307d
-
SSDEEP
12288:Hpwiapd/PNMdUhTvaqOyXudHs+feJOgxQN08QbXyTTFakU5zxmRgZYqMC:HauFPfeQdQbX4FytdZnMC
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Reservebeholdninger.Dak175
-
Size
58KB
-
MD5
a687f6d2ecff91aee4bd9e4d16a35089
-
SHA1
d2666e69bc1455afb305dc880889acedbd0fab03
-
SHA256
9667fc1a9915b7e9b53ec8d2d8711bf4855ca01420538e152e6f4624db54436c
-
SHA512
284b000a92f44c171188bf540f5fb36b564c0fbd381d548cd3cffc74efc43e8acdf12d7db2da4228d1bbcde1658c3136d989b9f0c70bcd1ecbae8276cba1c759
-
SSDEEP
1536:nEKsdqJnD8vjXSYoDO27FaOwfbUiemRLlvsbeeF5q2GY6E/0k5pS:nnsdqJD8vjXSY67F1wDUANuvN5s
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-