General
-
Target
All.2023.Tax.Documents.zip
-
Size
19.8MB
-
Sample
240520-wf16vabh61
-
MD5
4c9bbf6d3f3634c69cb0be7461ca6a0b
-
SHA1
58305aae7916b29f78382dc00e6014553960a8bf
-
SHA256
65db81a51aa3831d6aa297642c1a992784905a194974450d1f4c283026b8ff00
-
SHA512
cf887b9abe10854658f48f3165f893299de673fbdacb27b57c42ae0de08670a1905b2a376db62f7d6dba08c790909c71bc750b1453f8549789ae36b3084dceef
-
SSDEEP
393216:ftOdzfmZfX/s8EkKM5sOzs30EcfhKmJ6qqNm3eiW2cTWk9X92y+Xp:fcAZfkMKM5sxEEy76qfLWXTWOg
Static task
static1
Behavioral task
behavioral1
Sample
Tax Organizer.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Tax Organizer.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
msimg32.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
msimg32.dll
Resource
win10v2004-20240426-en
Malware Config
Extracted
remcos
RemoteHost
jelelaiyegba.duckdns.org:6060
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-TLKW96
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Tax Organizer.exe
-
Size
6.1MB
-
MD5
4864a55cff27f686023456a22371e790
-
SHA1
6ed30c0371fe167d38411bfa6d720fcdcacc4f4c
-
SHA256
08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2
-
SHA512
4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb
-
SSDEEP
98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz
Score10/10-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
-
-
Target
msimg32.dll
-
Size
45.1MB
-
MD5
58c43477d90dce1e7bac5bbab9c0a5a7
-
SHA1
d20041b5b1927aeb5887f331b2ed594e14fe8513
-
SHA256
58c44d41b335c5b8c4f399c05fcef83a2d024211eec09b1ade5335b96b1f64c4
-
SHA512
c82dcef12e83601bc8f84f5341d8a74c9368ac9093a0f913746ac7a3ce0a856ad6d3faa921b29f3c471cf5a1124339534c21967fa23367119386183d9c044bf4
-
SSDEEP
786432:bUP7GCGO7t0Srkx/tC0SzIdSwh/WxbpNHQD3trzRpvf9:bUP7GCG6iSrkx1hSzYsHQD3t/Rx1
Score10/10-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-