General
-
Target
9f6b2a0d2aef8aa1d11f543aea46b0821b378e695920b966507761c83ec09de3.exe
-
Size
1.2MB
-
Sample
240725-fh67wasgnd
-
MD5
8967dfc4ac3e7430249a90e80d582319
-
SHA1
7ce421ecb941e60337f41da358d23d0348a4a074
-
SHA256
9f6b2a0d2aef8aa1d11f543aea46b0821b378e695920b966507761c83ec09de3
-
SHA512
5b1bafb4cb6a9dcf762a1cfb22afb96f7262ca9ab58c914e2b3292aeaf627925809c6821480d28d08defaf3fe803ff7caf1970fa3d237f5f032b6cbfbdc75133
-
SSDEEP
24576:/7KJ9yTXc3Np0OhffLHA7oAe8pNQcoNmlkIDJw2xvyb8:u+w3bLHAGyGfhcw2E8
Static task
static1
Behavioral task
behavioral1
Sample
9f6b2a0d2aef8aa1d11f543aea46b0821b378e695920b966507761c83ec09de3.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9f6b2a0d2aef8aa1d11f543aea46b0821b378e695920b966507761c83ec09de3.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
remcos
RemoteHost
107.175.229.139:8823
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-2BGC0K
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
9f6b2a0d2aef8aa1d11f543aea46b0821b378e695920b966507761c83ec09de3.exe
-
Size
1.2MB
-
MD5
8967dfc4ac3e7430249a90e80d582319
-
SHA1
7ce421ecb941e60337f41da358d23d0348a4a074
-
SHA256
9f6b2a0d2aef8aa1d11f543aea46b0821b378e695920b966507761c83ec09de3
-
SHA512
5b1bafb4cb6a9dcf762a1cfb22afb96f7262ca9ab58c914e2b3292aeaf627925809c6821480d28d08defaf3fe803ff7caf1970fa3d237f5f032b6cbfbdc75133
-
SSDEEP
24576:/7KJ9yTXc3Np0OhffLHA7oAe8pNQcoNmlkIDJw2xvyb8:u+w3bLHAGyGfhcw2E8
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Scripting
1