General
-
Target
15072024_1334_14072024_Review Invoice 15072024.tar
-
Size
728KB
-
Sample
240715-qt7b5awbnb
-
MD5
0a6420e9c0e983186459c2537bda199a
-
SHA1
61bd7badb5728c129bc8f274b3787bb2ff387f90
-
SHA256
7739a700fbce9b89f0aa0ec238298c0c07de9883fd463b20445b6d6f883d5d0f
-
SHA512
96ccdefe9b4253f5380b4ce15b374aaaa64e15b6934ef22493295b37cada7039fc2f51b032d3f3277f44acc87ec3bd4f2e4ba9c9c649f74de52a54fed62578e2
-
SSDEEP
12288:0Ghobbtqgy0yCGOrKNjg3Qh3rXzSb5t6gNXJgDh/+wwbmP/fF0/OUWbI:29qgxGnjh3rgfzkiu/kOUWs
Static task
static1
Behavioral task
behavioral1
Sample
Review Invoice 15072024.cmd
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Review Invoice 15072024.cmd
Resource
win10v2004-20240709-en
Malware Config
Extracted
remcos
WEALTHBOX
janbours92harbu03.duckdns.org:3980
janbours92harbu03.duckdns.org:3981
janbours92harbu04.duckdns.org:3980
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
sburtts.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
ghnghoe-ACVPA3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Review Invoice 15072024.cmd
-
Size
1.6MB
-
MD5
8043ccab76e981b8d581cb7636c94606
-
SHA1
080c190cab8205ec507f328da0a807284628e1a6
-
SHA256
2c9f05dbca2a6a28c5f2b39f1e236f5a379fa268cdcf27e031721c9f0fe91552
-
SHA512
fbf807b7a0a586eac4e2de12c274120ac133c5abe1b6369e17741146330fc4dd3dbbb7c2a7817654b350442a99470a157cbf04aed804a4d0d4e6d5509fc806cc
-
SSDEEP
24576:ZzMVPKmB/+fFOTQEKf99+VcJWn8wWgpQu/w/5tLw:h6BWFUkqVK/52
Score10/10-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-