General
-
Target
1723186744bedfb94f9d8fe08c28d2d97f262f591de8ad734e1fdbcb16d212ad7a7dcb687b827.dat-decoded.exe
-
Size
483KB
-
Sample
240809-js4raayapl
-
MD5
4350718c9d94bf2efd23be14921bcff2
-
SHA1
2e9363ed2052b0e78477c534762eccf8d82563a8
-
SHA256
86deacab2e41344ae5e6e0ef624f37682c7e93892f5cee12b069cc3cf5119410
-
SHA512
9d3eb4557b354e6614bf7bb1ef8f7a62fad3cd1b86a32dcabf89cfbe08da48b36b6bf39e67a057e467f131de8bb623484d76735eaa840e9a0dcecf4e21919508
-
SSDEEP
6144:QTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccrdT4:QTlrYw1RUh3NFn+N5WfIQIjbs/ZB+T4
Behavioral task
behavioral1
Sample
1723186744bedfb94f9d8fe08c28d2d97f262f591de8ad734e1fdbcb16d212ad7a7dcb687b827.dat-decoded.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1723186744bedfb94f9d8fe08c28d2d97f262f591de8ad734e1fdbcb16d212ad7a7dcb687b827.dat-decoded.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
remcos
RemoteHost
host.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro:26734
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
word
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
Rmc-5W5YKY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
1723186744bedfb94f9d8fe08c28d2d97f262f591de8ad734e1fdbcb16d212ad7a7dcb687b827.dat-decoded.exe
-
Size
483KB
-
MD5
4350718c9d94bf2efd23be14921bcff2
-
SHA1
2e9363ed2052b0e78477c534762eccf8d82563a8
-
SHA256
86deacab2e41344ae5e6e0ef624f37682c7e93892f5cee12b069cc3cf5119410
-
SHA512
9d3eb4557b354e6614bf7bb1ef8f7a62fad3cd1b86a32dcabf89cfbe08da48b36b6bf39e67a057e467f131de8bb623484d76735eaa840e9a0dcecf4e21919508
-
SSDEEP
6144:QTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccrdT4:QTlrYw1RUh3NFn+N5WfIQIjbs/ZB+T4
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-