General
-
Target
b5aefdeb0f451c2edd13b5d42cb64234f5b513997af891ae3f5c187d15701602.exe
-
Size
619KB
-
Sample
240724-danpfstglj
-
MD5
eecdcad7501f2a7308d40820445e2aa9
-
SHA1
898a2f518726c6866ebd3583b634d8c0043f543d
-
SHA256
b5aefdeb0f451c2edd13b5d42cb64234f5b513997af891ae3f5c187d15701602
-
SHA512
ff0c5db3c2fc1a8db8a536bcedcdb7406841d74400e3246fbbbea2450f5ed336257ec0b01d616105f0650f9e0be9bda93dec037f56b6845044146c8909cc4d05
-
SSDEEP
12288:7T5tGDZWWO4K0GFYSE+ZAaDNtde8N1LGayE3cqU2ricGtq:7T5QDZWb4K0GFYCZA4tde863Ew2G0
Static task
static1
Behavioral task
behavioral1
Sample
b5aefdeb0f451c2edd13b5d42cb64234f5b513997af891ae3f5c187d15701602.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b5aefdeb0f451c2edd13b5d42cb64234f5b513997af891ae3f5c187d15701602.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240709-en
Malware Config
Extracted
remcos
RemoteHost
212.162.149.80:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-WVQ56B
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
b5aefdeb0f451c2edd13b5d42cb64234f5b513997af891ae3f5c187d15701602.exe
-
Size
619KB
-
MD5
eecdcad7501f2a7308d40820445e2aa9
-
SHA1
898a2f518726c6866ebd3583b634d8c0043f543d
-
SHA256
b5aefdeb0f451c2edd13b5d42cb64234f5b513997af891ae3f5c187d15701602
-
SHA512
ff0c5db3c2fc1a8db8a536bcedcdb7406841d74400e3246fbbbea2450f5ed336257ec0b01d616105f0650f9e0be9bda93dec037f56b6845044146c8909cc4d05
-
SSDEEP
12288:7T5tGDZWWO4K0GFYSE+ZAaDNtde8N1LGayE3cqU2ricGtq:7T5QDZWb4K0GFYCZA4tde863Ew2G0
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
7KB
-
MD5
84bcbefa5fe3d82647a15f135f22fb2a
-
SHA1
7c23a0c1a8b185f5af456dafa63a3c1207d8c1dc
-
SHA256
14ebfa0711b48ec748b6e4985db4b99a827996ae44b28122d16f14d0d0f51bb6
-
SHA512
c0e4ca46be6892b2cec77992e809897bcb768e3436d9bd81e4f84f4f1da9ef123ae902783147d263ac8019c732f131654694ad4105888c1f310c7bce8844b7dd
-
SSDEEP
96:0Vl/7KOuFlKHMpXGu8FX6eT3sQk1u2QmIG4fa9IJ4V:0Vl+hSs2u85TTHkZQmgy9I0
Score3/10 -