General
-
Target
q.exe
-
Size
380KB
-
Sample
240429-ncr5rshc23
-
MD5
c1e9cae3895e47557c49da02e857331d
-
SHA1
cd606c216cdf514fd64b714037a75250007d90b7
-
SHA256
a833220123f1e042399406b33817c857fec4d4471f9332b02abc390e11dae2e4
-
SHA512
f4ede6b4caf0267888fe5cfaacfd808a4ef15c5b87f186211c57a75d77b3d4915e2851662e0528370deec6a4f974dce95ce1bd6df1a62c6675ce0d1bf717a486
-
SSDEEP
6144:HT4DtVpZI3UNm5XuEneTjst4l4hjVKLWWC4OZol37D3XmkL+VHjFz3+vaEfT:HTgUUEeTmzJKaYOGlXnoDdqlT
Static task
static1
Behavioral task
behavioral1
Sample
q.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
q.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
Pidginizing/Halvpunkt240/Forblack231/Otiatric/Ergs.ps1
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
Pidginizing/Halvpunkt240/Forblack231/Otiatric/Ergs.ps1
Resource
win10v2004-20240419-en
Malware Config
Extracted
remcos
Top
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
mqerms.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
alpwovnb-G3F5OR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
q.exe
-
Size
380KB
-
MD5
c1e9cae3895e47557c49da02e857331d
-
SHA1
cd606c216cdf514fd64b714037a75250007d90b7
-
SHA256
a833220123f1e042399406b33817c857fec4d4471f9332b02abc390e11dae2e4
-
SHA512
f4ede6b4caf0267888fe5cfaacfd808a4ef15c5b87f186211c57a75d77b3d4915e2851662e0528370deec6a4f974dce95ce1bd6df1a62c6675ce0d1bf717a486
-
SSDEEP
6144:HT4DtVpZI3UNm5XuEneTjst4l4hjVKLWWC4OZol37D3XmkL+VHjFz3+vaEfT:HTgUUEeTmzJKaYOGlXnoDdqlT
Score10/10-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Pidginizing/Halvpunkt240/Forblack231/Otiatric/Ergs.Tha
-
Size
54KB
-
MD5
1c0b0b1677e6a0e8e41383703430a228
-
SHA1
3226cc511cb4ee3c4d8fc85f8309e769b588c59f
-
SHA256
056096bc668ccf068617f877b2d960d93fcc3f2bfcf6dc51e3e6ee1a5c83cdb8
-
SHA512
b8856417ec13d2be0b53d74ec4a3b22784b5fa6ae0b2fd5d3cb21863103d01526ab60de2432e0532fcb27c36bc39d69e8178b1a8cc08f05a95c6bf591b581902
-
SSDEEP
768:NVOb/moCyL71NiFKFbshVB/RKpgdNfg5o6hwWPbIQ4bGkr1iDoxSP8Wej0aQ0wJ+:NVGmoCyH1LbQB/R45Wa/9D+lIJPgj
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-