General
-
Target
INQUIRY#46789-MAY_24_PRODUCTS.exe
-
Size
414KB
-
Sample
240527-hrg1fscf45
-
MD5
b0058626c77841fea067aa436ff4f1e7
-
SHA1
cb42fd42e35ffaab9eb7000f0e3df59c2ba4ec7a
-
SHA256
0459c020742f5356d25d14f2cd937ecee923a54402246dc521452a6c9b353119
-
SHA512
76caef3ebcde654c9237110a632c4acb1397843aee53fbff73d6686233d0fce0ffae12ab2764abea3fc8426379f306bc65ccdec4d9fda468d300fcb5054d74c3
-
SSDEEP
6144:Y7eCdHpEMIeSdeNuUeOR7LTmlE8uf58dnABhc+Ku5hygOdtUwj0TnmuqXdG:6PNAd7nOtS4EJi5hygoRu6Xw
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRY#46789-MAY_24_PRODUCTS.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
INQUIRY#46789-MAY_24_PRODUCTS.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Malware Config
Extracted
remcos
CEYE
64.188.26.202:1604
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Vexploio.exe
-
copy_folder
Vexplo
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-RXKA3P
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
INQUIRY#46789-MAY_24_PRODUCTS.exe
-
Size
414KB
-
MD5
b0058626c77841fea067aa436ff4f1e7
-
SHA1
cb42fd42e35ffaab9eb7000f0e3df59c2ba4ec7a
-
SHA256
0459c020742f5356d25d14f2cd937ecee923a54402246dc521452a6c9b353119
-
SHA512
76caef3ebcde654c9237110a632c4acb1397843aee53fbff73d6686233d0fce0ffae12ab2764abea3fc8426379f306bc65ccdec4d9fda468d300fcb5054d74c3
-
SSDEEP
6144:Y7eCdHpEMIeSdeNuUeOR7LTmlE8uf58dnABhc+Ku5hygOdtUwj0TnmuqXdG:6PNAd7nOtS4EJi5hygoRu6Xw
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
fbe295e5a1acfbd0a6271898f885fe6a
-
SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da
-
SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
-
SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
SSDEEP
192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
Score3/10 -