General
-
Target
e4ed3892cc2c77e7de57a5fc47040118740b1a672747f72193ed065570a55b38.exe
-
Size
795KB
-
Sample
240928-cd5ayatcph
-
MD5
50ad24c74502951d0bec1507ca050c46
-
SHA1
392235b1cf28c1e5e5c4ce98922b472d80fb8d0c
-
SHA256
e4ed3892cc2c77e7de57a5fc47040118740b1a672747f72193ed065570a55b38
-
SHA512
e06ac807482380f9b1986f1b064ee215716095aac4350d9427baeeda5a6bfc4a302b048788a3d187e9131620f032e0a6476cbff5f6db9eb2420a56ecbaade5d8
-
SSDEEP
24576:twh/C6tZbwDaudTLF9AMWR9hoRR7jKzjrh:twE6tZ6dT/A5ORlKzj1
Static task
static1
Behavioral task
behavioral1
Sample
e4ed3892cc2c77e7de57a5fc47040118740b1a672747f72193ed065570a55b38.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e4ed3892cc2c77e7de57a5fc47040118740b1a672747f72193ed065570a55b38.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Malware Config
Extracted
remcos
RemoteHost
66.150.198.142:2700
66.150.198.142:27000
66.150.198.142:26000
66.150.198.142:28000
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-I617OK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
e4ed3892cc2c77e7de57a5fc47040118740b1a672747f72193ed065570a55b38.exe
-
Size
795KB
-
MD5
50ad24c74502951d0bec1507ca050c46
-
SHA1
392235b1cf28c1e5e5c4ce98922b472d80fb8d0c
-
SHA256
e4ed3892cc2c77e7de57a5fc47040118740b1a672747f72193ed065570a55b38
-
SHA512
e06ac807482380f9b1986f1b064ee215716095aac4350d9427baeeda5a6bfc4a302b048788a3d187e9131620f032e0a6476cbff5f6db9eb2420a56ecbaade5d8
-
SSDEEP
24576:twh/C6tZbwDaudTLF9AMWR9hoRR7jKzjrh:twE6tZ6dT/A5ORlKzj1
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
9625d5b1754bc4ff29281d415d27a0fd
-
SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
-
SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
-
SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b
-
SSDEEP
192:eX24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlqSlS:D8QIl972eXqlWBFSt273YOlqz
Score3/10 -