General
-
Target
7cc1d318287ed3311ffee12c37ee32ee94208d2f5860e99a5d54a5fb24dddef5
-
Size
500KB
-
Sample
240819-dvqdsavemr
-
MD5
f3a8fd16684e8870a92e88d4ec87a339
-
SHA1
0e17d21507ce9a47eb583a171943b7e74a021098
-
SHA256
7cc1d318287ed3311ffee12c37ee32ee94208d2f5860e99a5d54a5fb24dddef5
-
SHA512
0ad64bd9d1f88c5539b914f03e85a0df14ce1836753c8cf99343fb84a336d649508ae7401fd767de57d2b020c74f167343b423a9ad26661d04c7367a0659d6bf
-
SSDEEP
12288:xEPkn7JVpBMbc62oVa3qpm7OOWYr2EXgDTqT2I9Abi:2PUbB/EVa3mm7zWmjXiTqTMbi
Static task
static1
Behavioral task
behavioral1
Sample
4c614a69aebe97562d09c05c5b08db70ba7cba08f6698e5a87fc85407e2fb940.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4c614a69aebe97562d09c05c5b08db70ba7cba08f6698e5a87fc85407e2fb940.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
remcos
RemoteHost
103.67.162.233:9462
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GRR4WM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
4c614a69aebe97562d09c05c5b08db70ba7cba08f6698e5a87fc85407e2fb940.exe
-
Size
626KB
-
MD5
9be2bb8f46192a7cf7006587c0e95d54
-
SHA1
9e31f25cd0c0cf37a92a61ebd87293b519da5534
-
SHA256
4c614a69aebe97562d09c05c5b08db70ba7cba08f6698e5a87fc85407e2fb940
-
SHA512
76140dd7bcfdb778b70c4864934016b9cbc60b4f36ece6aa671c6556f1504d38e3428102663c47ffa8346e2201078a28443a0b42be0c6b7e820f6823cab4810b
-
SSDEEP
12288:naxvaBAHu5sn0ulSRNQeILTPNRLZi8s7exFe2WM:a9aBAObRNVI/PNxzxFMM
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Accesses Microsoft Outlook accounts
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-