General
-
Target
61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d.exe
-
Size
1.3MB
-
Sample
240524-bq89zsga7y
-
MD5
a55159c7edc073d452e4fef92d247997
-
SHA1
d239b25b2a33a64134f11d2d2ac5c7a89e186a29
-
SHA256
61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d
-
SHA512
5189f51ce0f90a71e86e53ea23d564d796536c45db8c8f4a11e75947bb4fc0d2489c83899e4a8e8b81504007ccad7a05dc8ac02b0d47a52ea565396a27c5e8b3
-
SSDEEP
24576:AP+g7Wy3xfMZKdcKtTjbJ4jEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKKKKKKKKK7:A/iy3g6TjbIEEEEEEEEEEEEEEEEEEEE+
Static task
static1
Behavioral task
behavioral1
Sample
61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
remcos
FmGlobal
royaldachpharmacy.duckdns.org:6395
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
services.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GRT17F
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d.exe
-
Size
1.3MB
-
MD5
a55159c7edc073d452e4fef92d247997
-
SHA1
d239b25b2a33a64134f11d2d2ac5c7a89e186a29
-
SHA256
61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d
-
SHA512
5189f51ce0f90a71e86e53ea23d564d796536c45db8c8f4a11e75947bb4fc0d2489c83899e4a8e8b81504007ccad7a05dc8ac02b0d47a52ea565396a27c5e8b3
-
SSDEEP
24576:AP+g7Wy3xfMZKdcKtTjbJ4jEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKKKKKKKKK7:A/iy3g6TjbIEEEEEEEEEEEEEEEEEEEE+
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
-
Detects executables built or packed with MPress PE compressor
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-