General
-
Target
ibcomonkeykingloverdontforogetokissherwithlotoflovebecauseheisveryvaluablekingeveriseenheisverygoodgirl___myhappinessinthrgirl.doc
-
Size
79KB
-
Sample
240426-napxmafb64
-
MD5
f7fabb6a3c4d7f625cc9398bd7713b4e
-
SHA1
818eff2b9c97eb2debcb058caf4221b4e96bca85
-
SHA256
246a56126023decef480763c6aeb0835b304b780229dfae1c4da57ece6426abd
-
SHA512
0ab1fc7e351ba6728193fb958b12217a639ad01f0067c012c5de795ff3d18f8dc41716f2c6349f0960e50c80810cd54473044f0927816398adb7131c4427a36b
-
SSDEEP
1536:ArwYaxLA/2q5Iqr7DXYwOk5UKpebeHdmcY3DCXiAwN/dFu/CZr:ArwYax+ZTr7DXYwOk55sbMdmcY3mXiAI
Static task
static1
Behavioral task
behavioral1
Sample
ibcomonkeykingloverdontforogetokissherwithlotoflovebecauseheisveryvaluablekingeveriseenheisverygoodg.rtf
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ibcomonkeykingloverdontforogetokissherwithlotoflovebecauseheisveryvaluablekingeveriseenheisverygoodg.rtf
Resource
win10v2004-20240419-en
Malware Config
Extracted
remcos
RemoteHost
sembe.duckdns.org:14645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
nots.dat
-
keylog_flag
false
-
keylog_folder
note
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
Rmc-999Z97
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
ibcomonkeykingloverdontforogetokissherwithlotoflovebecauseheisveryvaluablekingeveriseenheisverygoodgirl___myhappinessinthrgirl.doc
-
Size
79KB
-
MD5
f7fabb6a3c4d7f625cc9398bd7713b4e
-
SHA1
818eff2b9c97eb2debcb058caf4221b4e96bca85
-
SHA256
246a56126023decef480763c6aeb0835b304b780229dfae1c4da57ece6426abd
-
SHA512
0ab1fc7e351ba6728193fb958b12217a639ad01f0067c012c5de795ff3d18f8dc41716f2c6349f0960e50c80810cd54473044f0927816398adb7131c4427a36b
-
SSDEEP
1536:ArwYaxLA/2q5Iqr7DXYwOk5UKpebeHdmcY3DCXiAwN/dFu/CZr:ArwYax+ZTr7DXYwOk55sbMdmcY3mXiAI
Score10/10-
Blocklisted process makes network request
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1