General
-
Target
23052024_1504_POT98765400098765.pdf.xz
-
Size
588KB
-
Sample
240523-sf5bqafc2x
-
MD5
65ace8169dd4ebb8fdbcebd41ba7247f
-
SHA1
0c392d00fa51976c9bbfef6c061568f80c0e6789
-
SHA256
34ad5c6c83fce7cec4232cbbff121934dfe93db3d3a95738f8d36a02da36d1f5
-
SHA512
b5a125071b478353e169d1fb778bd2b79782931274467fc2c3b279ab9a7426430783a5b401d3761a1b79536b33e85a1c495453cefa9e0681a98fc1ce5f30f98d
-
SSDEEP
12288:IP+1I9DinVcbtQMwDenpFmtsVrmm6ZcX3PTxrEkmHSoLJbyWVqoilo9t:IG1DnVGqynWtMK839gSoLJbtRv9t
Static task
static1
Behavioral task
behavioral1
Sample
POT98765400098765.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
POT98765400098765.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
remcos
RemoteHost
107.175.229.139:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-TLPQMO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
POT98765400098765.cmd
-
Size
685KB
-
MD5
f2a5a6b811805385156c3b820399e20e
-
SHA1
3724daa63f56b24ba08d83abf150d8b45728619b
-
SHA256
2fb0600e3f80a84d2e606d9dcebfae82473877af39e7c7b878d466318f7077af
-
SHA512
dbb724dc71e7a1f38838e86393bcbe59ccee16cabc131218911414223282060db71635196b636a60c5b4263d111d857b62fe597a0fc4b6f4ae2d9f8ed6a58a4a
-
SSDEEP
12288:StWFbRSnw9raCMSWo3zf6dbtYMwDYnpF0PsNpWHq53PTtrE8yfEozJ7yWYl/qcHg:So59rVjfICknEPGUS3RKEozJ7Al/m
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Drops startup file
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-