General
-
Target
Quotation 20242204.tar.gz
-
Size
1.0MB
-
Sample
240422-pxbtysbd62
-
MD5
ec3bfbe26172b4d80308567282932b51
-
SHA1
d79276c975760f5d1c68f0fcac2c4b0841bcc462
-
SHA256
c42cbf2a4ad7612109535b71965bd6f8cea193e18d96ea1a830cd2d465fc9294
-
SHA512
95e68244b0fbfc2fc63e8a034fba3e45e5112c2d0775f9074df9677d4948744d74b3929d02c4844f8bf3a5aaad40f361772c71dc2c625df7ae17b8f9a790c135
-
SSDEEP
24576:NByNDOXJb5FCaFqP8JhM5vz1zkGIOj2uiWwPVKTx2qAEpKOFj:NByNcpIIh6vKGSuiWYwTx5AmF
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:47212
officerem.duckdns.org:47212
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-I8N3XG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Quotation 20242204.exe
-
Size
1.6MB
-
MD5
603c7916d424615645d6ee0fffa00011
-
SHA1
6f464f23eb81606067f93036dc5cdc61f7bb855b
-
SHA256
25adcfe6b38aead70b4b0020ecba72d0343b6f3d3bb406100593b7f1349e0300
-
SHA512
f400834902c5886b680fa8376fee88c77ec352b0a00221e98fbe268d71ac6feb0826fb5c53d71cb66cc457d6b3a64c3c881f059dd75bb9b097d51868ea07cf90
-
SSDEEP
24576:7MkT4gLKu9KKozJQd/HJNRO/BqM6wIJp4m+3bu8U2flxAv:QkTpT9K1mzyqM6wW4mEQ2W
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-