General
-
Target
21052024_1529_21052024_Swift 2024052130819616.gz
-
Size
6KB
-
Sample
240521-sw2wjaad55
-
MD5
e6c11c2fe4d3b9d2469e1c502a142d8b
-
SHA1
985dcc6408bbec0b7ee5ac4752f6014adf81016f
-
SHA256
337aa6bceb4103aa9327b569ba6809401221948a6c6386eb0ca20ffc47dbfcbb
-
SHA512
ba473024a79fe65303ebc0be4840da5c54857009a37550cf77ab6c98dc4d622e23149a44e26839649b11c4321f605fb7b2430405e757b0e36cf39a64610aedc8
-
SSDEEP
192:yvlY+rKhGPnNrVCDTobBsUPQKt8IlRPtV:ym+mhGPtwTUBHblPtV
Static task
static1
Behavioral task
behavioral1
Sample
Swift 2024052130819616.vbs
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Swift 2024052130819616.vbs
Resource
win10v2004-20240508-en
Malware Config
Extracted
remcos
MAY
ab9001.ddns.net:9001
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
rm.exe
-
copy_folder
Rm
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%UserProfile%
-
mouse_option
false
-
mutex
-L9O37N
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Swift 2024052130819616.vbs
-
Size
13KB
-
MD5
693d91041a54a578ada0c38a77634ee9
-
SHA1
13e0a6c85203356af7d11ff4a0e74a6b9637f466
-
SHA256
bb8d35012cdd6408e23b9983549095e98a88c1ccf99fc447cb92bf9d6de71b91
-
SHA512
110e25ec6a8f8cb52a3d8a21e01ae9e2b308276111a70cd2afd64e187b41fbbedf9365170bacd971b26ee17a62df4b2174dd2580bcdb18ed768a06d01d860ccb
-
SSDEEP
192:lLZMMji78HauxUn+OKEtfuJkEF3UxO8OY7DIsRsTYEtoTP5CfQ6x7PwYVRWFo2Uj:DV8wtkyRi/aVvdb2ze
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-