Extracted

• • Target

    TNT invoice.exe

  • Size

    962KB

  • MD5

    36a61907068929b0cea9cfad4bb45b5f

  • SHA1

    564d7d74f94fe07b5590a6c17b0caad3536c61c6

  • SHA256

    b041b54fdd8bac5ca781c5b064235a29cc29480edb623a216a2a3d8aef71ea16

  • SHA512

    6e3f7cc4d0995c7937049cde030f983ca0d80afdf08dfa3defb14a6778349ae8296ee950407f5f0a1e42eb32122aa8a9b104a40a4f7171fd2c6c162896e2fc1d

  • SSDEEP

    24576:OkGY2eTMCq/oDIALSR7mD60noFfzE5BG:PAeTw/oDnWoD6GoBE5E

  Score

  10^/10

  remcosirncollectioncredential_accessdiscoveryexecutionpersistenceratspywarestealer

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2