General
-
Target
7dd51a31f3cdd9713c2fd7fba05b61e83a2c5f3e9179c72bf419ae1a4a24f933.exe
-
Size
720KB
-
Sample
241031-c2wnpsyqen
-
MD5
00856763f766f72595d02d08c29dd3dd
-
SHA1
616bb8bac3280f929b41f490ff0cd41e863846b0
-
SHA256
7dd51a31f3cdd9713c2fd7fba05b61e83a2c5f3e9179c72bf419ae1a4a24f933
-
SHA512
893d4c1e82867e918a9c497d63dbdd13b3817262e065c0160451eb36b2776e71fffa882071af73b08ff04100d597d95c6ba7baf5c225ac76352dea8fda8b9401
-
SSDEEP
12288:O9GWk2UTHM19w1M20P58sgwxzoLHtB7Y59jFkmDHThxL5DfJb:O9Gn2UTHMUM2psgFLANFHDzhxLX
Static task
static1
Behavioral task
behavioral1
Sample
7dd51a31f3cdd9713c2fd7fba05b61e83a2c5f3e9179c72bf419ae1a4a24f933.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7dd51a31f3cdd9713c2fd7fba05b61e83a2c5f3e9179c72bf419ae1a4a24f933.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Bilist/Blyants.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Bilist/Blyants.ps1
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
OCTOBER
windowxpjoke.duckdns.org:24044
84.38.132.104:1985
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
explorre
-
copy_folder
explorre
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-OAEVAI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
7dd51a31f3cdd9713c2fd7fba05b61e83a2c5f3e9179c72bf419ae1a4a24f933.exe
-
Size
720KB
-
MD5
00856763f766f72595d02d08c29dd3dd
-
SHA1
616bb8bac3280f929b41f490ff0cd41e863846b0
-
SHA256
7dd51a31f3cdd9713c2fd7fba05b61e83a2c5f3e9179c72bf419ae1a4a24f933
-
SHA512
893d4c1e82867e918a9c497d63dbdd13b3817262e065c0160451eb36b2776e71fffa882071af73b08ff04100d597d95c6ba7baf5c225ac76352dea8fda8b9401
-
SSDEEP
12288:O9GWk2UTHM19w1M20P58sgwxzoLHtB7Y59jFkmDHThxL5DfJb:O9Gn2UTHMUM2psgFLANFHDzhxLX
-
Remcos family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Blocklisted process makes network request
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Bilist/Blyants.Den
-
Size
51KB
-
MD5
f33c58ea75c086600c12aabd70fe5ed3
-
SHA1
4901a7a2708a0cdc628899801896cdd54e5d83e2
-
SHA256
74ccc7d9f777f47ae3fc9bac599d05d6bb7af85228aea4834e36329297b5765b
-
SHA512
52f45268ff703c6178a78662a38f765cdc4dcd57f962e574b42b6852522835fb22b534c0f1764b78807f0ec806ceef0b4c57964ffd9f566f0c16bffaa1830eb0
-
SSDEEP
768:BFT6VjXLo/zpwczhgCOaUReDBW6aQwsihuZkZC6T3dpAAq8M:nGLobu6hXJUC95wsUS96TzAAqZ
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-