General
-
Target
RFQ 6000208225.exe
-
Size
1.3MB
-
Sample
241106-ptgk2ayrhw
-
MD5
3392cd428f177152dcf9ac6256365b1a
-
SHA1
3e454db1c2d909510594a48efbe0380c3194aa2f
-
SHA256
1f785691c057f5062ac9d630cf304ad946c825928c87e63172f335e96beddda1
-
SHA512
53265bead60447f7dd26db363dfe3a698d83c51019c4fa1d51907d5166cd53e11dae4da51ee3ebe162f0313ac6b2971a0a3904a4738fde116d835eab4c4d53bb
-
SSDEEP
24576:Z6k1f9gIpCzUjadgzQdbzyoxSyz74WCePDMoqno2NND74lams:ZJFmSCzyApoy/p3PDP6Ela3
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 6000208225.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
RFQ 6000208225.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
RemoteHost
212.162.149.220:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-2JYO24
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
RFQ 6000208225.exe
-
Size
1.3MB
-
MD5
3392cd428f177152dcf9ac6256365b1a
-
SHA1
3e454db1c2d909510594a48efbe0380c3194aa2f
-
SHA256
1f785691c057f5062ac9d630cf304ad946c825928c87e63172f335e96beddda1
-
SHA512
53265bead60447f7dd26db363dfe3a698d83c51019c4fa1d51907d5166cd53e11dae4da51ee3ebe162f0313ac6b2971a0a3904a4738fde116d835eab4c4d53bb
-
SSDEEP
24576:Z6k1f9gIpCzUjadgzQdbzyoxSyz74WCePDMoqno2NND74lams:ZJFmSCzyApoy/p3PDP6Ela3
-
Guloader family
-
Remcos family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
fc3772787eb239ef4d0399680dcc4343
-
SHA1
db2fa99ec967178cd8057a14a428a8439a961a73
-
SHA256
9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed
-
SHA512
79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89
-
SSDEEP
192:eS24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OloSl:S8QIl975eXqlWBrz7YLOlo
Score3/10 -