General
-
Target
29072024_0934_29072024_Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-29.PDF.tar.gz
-
Size
526KB
-
Sample
240729-ljzgbawaje
-
MD5
90a8c5510480fb8e736499f5a5b2a74b
-
SHA1
a99765aacccb88fa9261991d2310582467a60b50
-
SHA256
e651929d200f1c483ac575e1984e364ec838f75b522c3c62e692f20608ea260a
-
SHA512
f5ef246391d88ffaf1aeaad1b48f30cae66026baed7977b12ec3a75f8ab7c0513ae003d5c60343a8bcf289dc74b8b0a8d626df795c77912b47067ef1015f7064
-
SSDEEP
12288:6UYak7qbBEwCTgB0vOiNsi4djA1A1jOhqlRhtxHh+N5k:os3CTgyvn4lAG1CKf+N5k
Static task
static1
Behavioral task
behavioral1
Sample
Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-29.PDF.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-29.PDF.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:45645
127.0.0.1:56765
mypersonrem.duckdns.org:56765
mypersonrem.duckdns.org:45645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ZGTK2C
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-29.PDF.exe
-
Size
1.1MB
-
MD5
7d8f742f61cdcf07f87403db8b3ddaed
-
SHA1
0991fd8f4c020ceff16306f74c7416034691bf1d
-
SHA256
14b2d55f02369c078f2a3da33a0b5e963c76b3deb1b000b6e664bd87a97ddc24
-
SHA512
87abea135f53040901c202aa8eea7cba85a92aab347dad64bbf613a646edc038083301f44cb49b53ddf69e6b7b5cc31068fc427eb1c934caed9aadb4ef03d227
-
SSDEEP
24576:eMYsrqeco9CxAQgacj6C0aZfvgI7AMMeljMnqH1:eMO0Dj67aZ3AMMg1
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-