General
-
Target
CDE_2044850790_PDF.Tar
-
Size
962KB
-
Sample
240419-syya5agh2t
-
MD5
ef9596c2f58aea802c4ef5e1b1d7cf45
-
SHA1
bcc3b63350bb891efa1565d3bfc695c79a9afe88
-
SHA256
35f299808b22a77def2f1173cda754eaf804771fddd6e024d4d44bd47d8bf03e
-
SHA512
bf9f83ad21897a5b448d6f3ccb78f25bde477c90b07cdfa435e45490e76365fef9eb441ed02fd9adc4a0512c9e7ecf956c0777d62df5c231643d89ba14f014d5
-
SSDEEP
24576:eonmjNY3N995kJgUrdU5A8YfZo1wx2UU6SvFjQfF+:eonmy9v5kJgUaO+wxws0
Static task
static1
Behavioral task
behavioral1
Sample
CDE_2044850790_PDF.cmd
Resource
win10v2004-20240412-it
Malware Config
Extracted
remcos
BiggsCrypt
20.121.128.235:4876
20.121.128.235:4834
20.121.128.235:4845
20.121.128.235:4674
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
oooa.dat
-
keylog_flag
false
-
keylog_path
%UserProfile%
-
mouse_option
false
-
mutex
wwowsasazaza-RIAKS5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
CDE_2044850790_PDF.cmd
-
Size
3.4MB
-
MD5
a42a317ed1791e39e4e615e53e3a7566
-
SHA1
e8da852c8b5fdb181f6f97f2bbef4da40de8b5cc
-
SHA256
ffd7766f1856786dcb90a9612d7f58d97a6139e34cb7e9cc72848565a5b49433
-
SHA512
4a154d1fc84f9fda0733901e8455a0b2babfaa51dc122b99b8a4607b81b010e2b7a60bd4cb7a99a1b45c1c63a18594519390726bb772f22d6083785a8870f33b
-
SSDEEP
49152:XPT9trJgjekSb3rAcSLOffS2HrE4k5oIwxiCuQH/gSzwaqvcpoPpJ6Iinax9TKsq:b
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-