General
-
Target
Ref-OTR-02811853280324992230.Tar
-
Size
1.2MB
-
Sample
240419-z1y4rsff97
-
MD5
6f4d48e8eb489eb5b7343015dc00dd3a
-
SHA1
0be25a82493ab11ad8dd83318f74d363b0fb27f7
-
SHA256
62f600400e1d03e8e9abe44fc8fd40100fc9bbd4eeb55ac03de7f6d1ed2d9771
-
SHA512
95d5bd9ca4cb1d174232cee2c7621ab638fb45dabc8503055da1edb31ffeb3402dc4f364912eeff7baaa2c61ed63478265c8f1fc8b5d557cfce73ede0e183b2e
-
SSDEEP
12288:62M1Hhkc6bYfsiBq8rI7gti8POOS5a9FWGk4vozUNMHPn0ezCgueiDrqOsykr2Cy:6B16cEiw8k7gtI/pLzhv0DUr2Ch9ztpC
Static task
static1
Behavioral task
behavioral1
Sample
Ref-OTR-02811853280324992230.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Ref-OTR-02811853280324992230.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
remcos
RemoteHost
104.254.90.251:20990
141.98.101.133:20990
199.249.230.27:20990
213.152.161.30:20990
128.127.104.80:20990
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
log.dat
-
keylog_flag
false
-
keylog_folder
Services
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
-EK73GW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
image
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
Gemini;banking;online;secure;digital;crypto;card;bitcoin;coin;bank;checkout;pay;personal;mastercard;visa;wallet;paypal;admin;blockchain;coinbase;transaction;confidential;recover;recovery;phrase;key;bit;ethereum;WhatsApp;transfer;sign;wire;login;credit card;paypal;account information;bank;deposit;creditcard;debitcard;wire,wiretransfer;statementofaccount;purchaseorder;phonenumber;payment;wallet;cheque;
Targets
-
-
Target
Ref-OTR-02811853280324992230.CMD
-
Size
1.2MB
-
MD5
42ed296028e6834ed96586dfc820da02
-
SHA1
1794d672ee43a8180a09c3a0549d770aa2442cf4
-
SHA256
2a24851c378f0a1a2a2b2c38d47872ce54763c1d692010ad8fad4ad1c5b1a42e
-
SHA512
ab810148ae2c9710689273c58edcf8bf9b05a530b7441c328a2dc08abc4f403790c5e3b4afc8c0ad963d24ccc9d443fd4485b0dfc7da7da42b28d1ef6f6c5f05
-
SSDEEP
12288:W2M1Hhkc6bYfsiBq8rI7gti8POOS5a9FWGk4vozUNMHPn0ezCgueiDrqOsykr2Cw:WB16cEiw8k7gtI/pLzhv0DUr2Ch9ztp
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-