General
-
Target
tmp.bak
-
Size
1.1MB
-
Sample
240424-cmsy9seb5x
-
MD5
12886a2dee7a2b1317ecf8ffd45fdaf0
-
SHA1
e17838a0fb05d7937da2b9cb93eccb3073ed6433
-
SHA256
e06192109b6d3127d32b4c12cf7b2be4c3f92786cdafed85dabaa4ee612f2035
-
SHA512
cf1e1855b62eb2e44e4308b2c0c77d2f3a1480474f308bc650e3b262822d0918594fc7fcabaf79fb05e2610068c70b75f6bbaca09ab59fde8f9f4aa29e1b23b0
-
SSDEEP
12288:Wo4uvLCzxsmw76ZNhGzwtsML5oEYWd/KFMgARCgPvu47KsPGO31Moviein4ox3CT:WYLCmgrOwvN/KFMgAQgPSWliei4oxyT
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
remcos
ASLAVES
64.188.18.137:1604
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-WVCSRD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
tmp.bak
-
Size
1.1MB
-
MD5
12886a2dee7a2b1317ecf8ffd45fdaf0
-
SHA1
e17838a0fb05d7937da2b9cb93eccb3073ed6433
-
SHA256
e06192109b6d3127d32b4c12cf7b2be4c3f92786cdafed85dabaa4ee612f2035
-
SHA512
cf1e1855b62eb2e44e4308b2c0c77d2f3a1480474f308bc650e3b262822d0918594fc7fcabaf79fb05e2610068c70b75f6bbaca09ab59fde8f9f4aa29e1b23b0
-
SSDEEP
12288:Wo4uvLCzxsmw76ZNhGzwtsML5oEYWd/KFMgARCgPvu47KsPGO31Moviein4ox3CT:WYLCmgrOwvN/KFMgAQgPSWliei4oxyT
Score10/10-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-