General
-
Target
43319fa796c6b542426e4e853a26a12d9a1cd49687878484a5bae88d246600cb.exe
-
Size
383KB
-
Sample
240430-mw3vyaae8y
-
MD5
23e67f856583bc4edbab6d66fb5d3519
-
SHA1
335d696e7448570c632dc0b6f3aadfe69262d2ef
-
SHA256
43319fa796c6b542426e4e853a26a12d9a1cd49687878484a5bae88d246600cb
-
SHA512
893f81e5c0a8e64b4a2ab2edee73b7867255154191cd73ca9faddfc3c7c68454689dc3b297c7cf3bb51f14f3910fb9c0ff6f1ce5f1139961a8153e54c9868ffc
-
SSDEEP
6144:HT4DtVpZI3UNWc3n5C3Tsc8XANjZ8S+ztjsNtsZ7X9/wkm8mKuUE2OCQpPAvFeVY:HTgYEztxwquUfNQZAvsl9pSTlDt
Static task
static1
Behavioral task
behavioral1
Sample
43319fa796c6b542426e4e853a26a12d9a1cd49687878484a5bae88d246600cb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
43319fa796c6b542426e4e853a26a12d9a1cd49687878484a5bae88d246600cb.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
jebliksbilledes/Unrelative/Sikkativers/Regredieredes/Fastkurspolitikken.ps1
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
jebliksbilledes/Unrelative/Sikkativers/Regredieredes/Fastkurspolitikken.ps1
Resource
win10v2004-20240419-en
Malware Config
Extracted
remcos
Top
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
mqerms.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
alpwovnb-G3F5OR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
43319fa796c6b542426e4e853a26a12d9a1cd49687878484a5bae88d246600cb.exe
-
Size
383KB
-
MD5
23e67f856583bc4edbab6d66fb5d3519
-
SHA1
335d696e7448570c632dc0b6f3aadfe69262d2ef
-
SHA256
43319fa796c6b542426e4e853a26a12d9a1cd49687878484a5bae88d246600cb
-
SHA512
893f81e5c0a8e64b4a2ab2edee73b7867255154191cd73ca9faddfc3c7c68454689dc3b297c7cf3bb51f14f3910fb9c0ff6f1ce5f1139961a8153e54c9868ffc
-
SSDEEP
6144:HT4DtVpZI3UNWc3n5C3Tsc8XANjZ8S+ztjsNtsZ7X9/wkm8mKuUE2OCQpPAvFeVY:HTgYEztxwquUfNQZAvsl9pSTlDt
Score10/10-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
jebliksbilledes/Unrelative/Sikkativers/Regredieredes/Fastkurspolitikken.Vol
-
Size
60KB
-
MD5
2a4c059165f67c3923409c13eb335f08
-
SHA1
327454ea9cef3b257a7a154bc75aa1dac1dc77d1
-
SHA256
f383eb80238916fd6c00c1513464f841fefb622aad04f345f4bc69f8a24aa8b1
-
SHA512
d1d1898f852d9fb3af766fea3e06ffefad91af0bc4d5652716103f6f2151118b5129d8c9707fcaf14d3e16654f7148163b80ec03a3e2a4bbb036575666392560
-
SSDEEP
768:bxvCc7TZ/G5kUwtoHQsp55qLP4vozxzNVqsZPiL3B3uy1LnUIz75zx7IwUER81uu:1qJ+ltCWP3NzNVqLj5bDd9NxouDgUSV
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-