General
-
Target
asdasd.html
-
Size
1.8MB
-
Sample
240423-fc6ddsdb9t
-
MD5
cb2670db598dc2a02b24d4d5d61438db
-
SHA1
50efd6135dfdc8d012c29821c403ad44b15c9bfc
-
SHA256
916e8104ac98f49c5639ad117f1e778beec15b6cfabdfa102e00fda205d0241c
-
SHA512
ae1696930dbd1616e6f6d143f0fe6ac12b6e6eb0e16f103ed1358d57f0b4aa7a69764062585d7dae6d21674e18c66a8a94d0c58c43b55c48b6b8c944f1e34a38
-
SSDEEP
768:f9rfcB8AGy9eGe2ujmLOOuWqQJHsVNrh8a+HQeOnAj0BqgpMSw:s8AGoeGe2TLSWbJHsVNrhR3u0Bhm
Static task
static1
Behavioral task
behavioral1
Sample
asdasd.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
asdasd.html
Resource
win10v2004-20240412-en
Malware Config
Extracted
remcos
FEB2024
45.144.214.27:8973
45.144.214.27:8974
plunder.jumpingcrab.com:8973
rem.webredirect.org:8973
rem.webredirect.org:8974
plunder.dedyn.io:8974
plunder.dedyn.io:8973
plunder.jumpingcrab.com:8974
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
DFG
-
mouse_option
false
-
mutex
DFN34-K1WBCP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
asdasd.html
-
Size
1.8MB
-
MD5
cb2670db598dc2a02b24d4d5d61438db
-
SHA1
50efd6135dfdc8d012c29821c403ad44b15c9bfc
-
SHA256
916e8104ac98f49c5639ad117f1e778beec15b6cfabdfa102e00fda205d0241c
-
SHA512
ae1696930dbd1616e6f6d143f0fe6ac12b6e6eb0e16f103ed1358d57f0b4aa7a69764062585d7dae6d21674e18c66a8a94d0c58c43b55c48b6b8c944f1e34a38
-
SSDEEP
768:f9rfcB8AGy9eGe2ujmLOOuWqQJHsVNrh8a+HQeOnAj0BqgpMSw:s8AGoeGe2TLSWbJHsVNrhR3u0Bhm
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-