General
-
Target
Salary July 2024pdf.exe
-
Size
863KB
-
Sample
240807-k56l3szbjg
-
MD5
fa7f5341c4ee122c6295e08d04062ac0
-
SHA1
f479d2673e995cdf233b2fb13aa595cd542ab742
-
SHA256
c2cf1032ae671d0bcba6d625bc72236b125f864a1bb6114c6b96a8e0c91c6759
-
SHA512
e3e81f334038fe06fe06c9bea9b7e2549134bb6f7ba6dd06dbaa68fefd26c533a6d0a18b81fdb619a518b2fbce6134484af67851a57ac26d04942ea1469d0de2
-
SSDEEP
24576:eiUmSB/o5d1ubcvBxuwQYTReNoH+V2uiQd+Dgyx:e/mU/ohubcvBk8Neh0ug8
Behavioral task
behavioral1
Sample
Salary July 2024pdf.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Salary July 2024pdf.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
remcos
RemoteHost
194.169.175.190:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-LBZ2BK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Salary July 2024pdf.exe
-
Size
863KB
-
MD5
fa7f5341c4ee122c6295e08d04062ac0
-
SHA1
f479d2673e995cdf233b2fb13aa595cd542ab742
-
SHA256
c2cf1032ae671d0bcba6d625bc72236b125f864a1bb6114c6b96a8e0c91c6759
-
SHA512
e3e81f334038fe06fe06c9bea9b7e2549134bb6f7ba6dd06dbaa68fefd26c533a6d0a18b81fdb619a518b2fbce6134484af67851a57ac26d04942ea1469d0de2
-
SSDEEP
24576:eiUmSB/o5d1ubcvBxuwQYTReNoH+V2uiQd+Dgyx:e/mU/ohubcvBk8Neh0ug8
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Accesses Microsoft Outlook accounts
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-