Extracted

Extracted

• • Target

    niceworkeverseenonmybrandnewthings.exe

  • Size

    190KB

  • MD5

    28c97dfde19efa88d6c84a0e7286154b

  • SHA1

    3fe7be956df064cacdbecca32d73c05ca0d700d0

  • SHA256

    639983f2307c5ca4de91dd8128e4b68cc492206eb9cd86064bde0cbd2124e375

  • SHA512

    d0b7db1d451de64143e2b90b1614d628c2aca1e5739c1ff8f0c91a2cf33258d9be7068b08793fae57d84b0e16fbcb23107eea428eebe94037f91b6cf43c10b24

  • SSDEEP

    3072:hb2nhXR7q3BWE12iLRXNEZC+eJxDXXCUgt5pQ9xgGwRzPC86zQRQ6QbQVQbQ0QWO:hbutgrAiLRaI+o2IZKUs3b2V+f4G

  Score

  10^/10

  executionremcosremotehostcollectioncredential_accessdiscoveryratspywarestealer

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Suspicious use of SetThreadContext

  behavioral1behavioral2