General
-
Target
April-29-receipt.zip
-
Size
205KB
-
Sample
240430-phvcraca4v
-
MD5
edc8c1b6536f29c0b7da2254dc7b2815
-
SHA1
52e236ee861a43f15ce08489b1dbd288fdfd78e4
-
SHA256
a25581c800a7705e573bc684b7b364632a63962e2fa6d214cfa1bdd2e9d38cb1
-
SHA512
25905a4310ef0e4dd2e437b961a1fc0f1b5810e6a02384b3f3c453b70f7525bc1e3fb8b6b258556fc92887623ae38b5a816a96507fd2ef5353a64c4be2e1d442
-
SSDEEP
48:4VttKFlchhAlqp1lFaTt+LPfKUPcE77VZlO0uTN0Nx8L1oM1Nci/ZtdlMEjEoayo:aAklFisLPnpvVZlOfNs8RNciBvng
Static task
static1
Behavioral task
behavioral1
Sample
April-29-receipt.js
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
April-29-receipt.js
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
3.1
aprilxrwonew8450.duckdns.org:8450
0VZWHbNr1OapRPc5
-
install_file
USB.exe
Extracted
remcos
RemoteHost
remco8100.duckdns.org:8100
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-G51VNO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
April-29-receipt.JS
-
Size
200.0MB
-
MD5
5012f7c0a6af87c3b2993a24523586e3
-
SHA1
2f690f63035e996976430de0d2b2cbe4d2c55f06
-
SHA256
af57907b53533c7fb34e162201fa674ceb3a99223a819cb54fa14dd92cb90db8
-
SHA512
0c89f1f259a6e8ff4deabb4b11074370c6cd9398a19ef1c26e73f718fa1dfe8aec32e10b357cc3c293d9906194edbf70b5fee2f468c805392bcde4f76b047097
-
SSDEEP
96:A4iG6S+xh/kVzTTzvTssSFHG+JTCsMQCLb3i4Y4i444o1maJNLG6S+c2hxOm/3:ND6Ssh/psmH3JjY0Y6Sh2hxO
Score10/10-
Detect Xworm Payload
-
Detect ZGRat V1
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-