General
-
Target
LHER0006981753.xls
-
Size
243KB
-
Sample
240524-lfjxfsce97
-
MD5
9a3bc48238b66f452505a411d111672f
-
SHA1
d6bd686fe55e31c0a0cc387f0fd9e508cf7963e6
-
SHA256
23beb2cb2dcecd755000c7992a9b691b1b66f3f8b4410c8d6c9af7411f5c7fc1
-
SHA512
68dc475eeff17b495015d2676504bad0d7b6f653733e40a7c0c692b2fb0b816a4c1a66514ef6f92e76662fb2b637acdfeee774c43536b8a67a369b5f40d14c3b
-
SSDEEP
6144:ue4UcLe0JOqPQZR8MDdATCR3tSul0W8ETwFN3sm4Lc7qRcz0DLdvU:EUP/qPQZR8MxAm/SbW8E8N394oeuMLq
Static task
static1
Behavioral task
behavioral1
Sample
LHER0006981753.xls
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
LHER0006981753.xls
Resource
win10v2004-20240508-en
Malware Config
Extracted
remcos
RemoteHost
sembe.duckdns.org:14645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
nots.dat
-
keylog_flag
false
-
keylog_folder
note
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
Rmc-999Z97
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
LHER0006981753.xls
-
Size
243KB
-
MD5
9a3bc48238b66f452505a411d111672f
-
SHA1
d6bd686fe55e31c0a0cc387f0fd9e508cf7963e6
-
SHA256
23beb2cb2dcecd755000c7992a9b691b1b66f3f8b4410c8d6c9af7411f5c7fc1
-
SHA512
68dc475eeff17b495015d2676504bad0d7b6f653733e40a7c0c692b2fb0b816a4c1a66514ef6f92e76662fb2b637acdfeee774c43536b8a67a369b5f40d14c3b
-
SSDEEP
6144:ue4UcLe0JOqPQZR8MDdATCR3tSul0W8ETwFN3sm4Lc7qRcz0DLdvU:EUP/qPQZR8MxAm/SbW8E8N394oeuMLq
Score10/10-
Blocklisted process makes network request
-
Abuses OpenXML format to download file from external location
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-