General
-
Target
f4f4d459698282bc9109716f91cc91fd3b36f363a352c17245c883dbd921fbdf
-
Size
857KB
-
Sample
240820-jckcpszdlh
-
MD5
eedc23b970a3a42043e8d4b1ee76fb9d
-
SHA1
fe9daa5b63d40ad5b7e18b613194b610c7792ff4
-
SHA256
f4f4d459698282bc9109716f91cc91fd3b36f363a352c17245c883dbd921fbdf
-
SHA512
3562456620c5fe085ddbdfa89f61b90f98172b3cca6b2fc813e56ec28b77691458dce19b430b768ec7f2be53bc4c8aaad4651cad52e80bdf7636d7f34dee8dc8
-
SSDEEP
12288:aeeY86AUjYZ9tDBrp2zc6qyWUIvIGlfqDT6N0XsqVnk2p9g9bz3Cdw7wUvw:abY86ojZlIwgQRUTk2p9glrC
Behavioral task
behavioral1
Sample
HGA9876700900H2.scr
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
HGA9876700900H2.scr
Resource
win10v2004-20240802-en
Malware Config
Extracted
remcos
RemoteHost
192.210.150.26:8787
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-Q4NYK2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
HGA9876700900H2.scr
-
Size
883KB
-
MD5
99e294d8f93ad2845be9c68f408e6f0a
-
SHA1
0df7d97799b61cb82052b2391bc9aa12e3a702f2
-
SHA256
23b79a548370036ac42a74e0d6e4106f28fce17db08aa91afa095159c86a3171
-
SHA512
055133fb016b1c6f2df5c7770e4895991c9bc7d355d475f5a259d7f43eb3e85c57024dc7552048c1f27c982e10d82993098cd890e0bc07dc905af6d9131e0a0c
-
SSDEEP
12288:EsHzOUNUSB/o5LsI1uwajJ5yvv1l2L33jjqJfYDjuN0TsqN5k2/96Nb33qTE7aUt:niUmSB/o5d1ubcvcjjCbuFk2/96l5p
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-