General
-
Target
hjc.exe
-
Size
1.6MB
-
Sample
240423-x6c3dabb85
-
MD5
da7c2473b5c455f25f420827af596286
-
SHA1
101b5f991a26fc9213c4445bd9bfdb87a6a6c5cb
-
SHA256
e1cecfcc4eed2f4b74af7d971dcf24555534db164ddb0b7cd1e821b2f0402703
-
SHA512
cd6b9cd996c3bca3aa0be5d0cebebb7db1701878d5c62354d6df4c880d4af8007c95baf7f0ac9e75b099c7b3573dc23afa3a872213a9963b84c86028e6969959
-
SSDEEP
24576:7MkT4gLKu9KKozJQd/HJNRO/B8M6wIJp4m+3bu8U2flxAv:QkTpT9K1mzy8M6wW4mEQ2W
Static task
static1
Behavioral task
behavioral1
Sample
hjc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
hjc.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
remcos
RemoteHost
oceansss.duckdns.org:1144
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
fgdghrd
-
mouse_option
false
-
mutex
Rmc-VLI916
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
hjc.exe
-
Size
1.6MB
-
MD5
da7c2473b5c455f25f420827af596286
-
SHA1
101b5f991a26fc9213c4445bd9bfdb87a6a6c5cb
-
SHA256
e1cecfcc4eed2f4b74af7d971dcf24555534db164ddb0b7cd1e821b2f0402703
-
SHA512
cd6b9cd996c3bca3aa0be5d0cebebb7db1701878d5c62354d6df4c880d4af8007c95baf7f0ac9e75b099c7b3573dc23afa3a872213a9963b84c86028e6969959
-
SSDEEP
24576:7MkT4gLKu9KKozJQd/HJNRO/B8M6wIJp4m+3bu8U2flxAv:QkTpT9K1mzy8M6wW4mEQ2W
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-