General
-
Target
Pagos-Confirming_PDF.exe
-
Size
550KB
-
Sample
240731-h83ngsxfrf
-
MD5
11e1d4839bb77f68d65bd767db97fc95
-
SHA1
eb283f3ced6c94f5d1841ad8283cc137bae2b550
-
SHA256
69fe306fb9f787613cff3562e3a677b8430dceddbfbdd141ad5837ba111b5106
-
SHA512
35f6ec8b867646edf1b6cf67c27c977b12a945f35796b540ce0232a88961d80cd82ff02a9a00b7f373350ef7f880bceb72977a0d42037e4f219303c5dc8fbb13
-
SSDEEP
12288:0toQhWVk2MM7AjOaZ4XiCeLvNJdXFIVZBZYUyi7kOSIwu:VQ4fMM7AjT4XiCIZiV3KUyTLo
Static task
static1
Behavioral task
behavioral1
Sample
Pagos-Confirming_PDF.exe
Resource
win7-20240705-en
Malware Config
Extracted
remcos
RemoteHost
103.198.26.25:96
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-IPUJM4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Pagos-Confirming_PDF.exe
-
Size
550KB
-
MD5
11e1d4839bb77f68d65bd767db97fc95
-
SHA1
eb283f3ced6c94f5d1841ad8283cc137bae2b550
-
SHA256
69fe306fb9f787613cff3562e3a677b8430dceddbfbdd141ad5837ba111b5106
-
SHA512
35f6ec8b867646edf1b6cf67c27c977b12a945f35796b540ce0232a88961d80cd82ff02a9a00b7f373350ef7f880bceb72977a0d42037e4f219303c5dc8fbb13
-
SSDEEP
12288:0toQhWVk2MM7AjOaZ4XiCeLvNJdXFIVZBZYUyi7kOSIwu:VQ4fMM7AjT4XiCIZiV3KUyTLo
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Accesses Microsoft Outlook accounts
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-