General
-
Target
19042024_0340_2023 Tax Organizer.zip
-
Size
10.6MB
-
Sample
240419-d8xp1sff94
-
MD5
283f7eabb82f578f49510915c4b2bf4f
-
SHA1
719ddeb335d1a6ce6d58826a363e249d974b82f7
-
SHA256
bd8ff468b6fb4958059537257894153fc0cb9eb43f4a05c0b7c42ddd0fac7df9
-
SHA512
c5fd5916505024bca1c9fbbdadfb8e851072a8923d469778aefa7445aa174040494dd23ec32e5f55b9be1fb1db4bc710ea62191339432b412289a290a741c512
-
SSDEEP
196608:Kr1D+scr7majR7NAiGmVRui3sBpQnAuRjoks+NhRKzxcneL94YoNpZVlV:KBD+sJ+2rmt3sBpQn7RkR8G94tpZd
Static task
static1
Behavioral task
behavioral1
Sample
Tax Organizer 2023/Tax Organizer.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Tax Organizer 2023/Tax Organizer.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Tax Organizer 2023/g2m.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Tax Organizer 2023/g2m.dll
Resource
win10v2004-20240412-en
Malware Config
Extracted
remcos
RemoteHost
faststaynow.duckdns.org:5057
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-DRFJJD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Tax Organizer 2023/Tax Organizer.exe
-
Size
31KB
-
MD5
4db45c5fdb9e115b922bdf007523f082
-
SHA1
90297382a170ff3ea7931db2425329d0b2f70f04
-
SHA256
a73709c1b5f1f875ee35f477c4e263a57050c36e2cff31ad1ceca17d9623e7cd
-
SHA512
7f0bcb2ee96c523cce764d1ec7d197d3aadddcf6fae71b63e88c3a26883b2f2fb4a446187adfbb023be779056ebc0ea50a785c72bbe97bb7dca41a810d0ff6c7
-
SSDEEP
384:V4Kj/M8y6ryzqEt7a9Oey+IFdP64VYaEwDtiBgxoxlnLr2STchsCxXBhgBx4eMDg:VHDXr+VWOV+csoHViBBn+hRIqeMDGt
Score3/10 -
-
-
Target
Tax Organizer 2023/g2m.dll
-
Size
25.9MB
-
MD5
485b8cc54d8a2fc27a1c0c1cafe21811
-
SHA1
b0011058e2babc680273aacf9eb382e85532d5a5
-
SHA256
2643dbabde4595b6505a2c5f74810022a75322cb1c0a7a889783ad794f55df7d
-
SHA512
e7e7c207d76e00b047875b0937b6b81dbfd2623095095aaff656e2b9c90c49b5ba710bf9f997af346a928f7d1967cb39ee842e6ee62792aa5d100d90bdd86560
-
SSDEEP
196608:+5H3zHriM3lONIfjm0S6VFWxtswdO8Nw3MRfW8+IiAp7kz8roTsWbbh7nkMM9haK:8rmKSPoTsWbbh7nkMGRNc4Y/kyZpJIgi
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-