General
-
Target
09_deb64ed.exe
-
Size
483KB
-
Sample
241112-2ydfdsshla
-
MD5
f080e8592d9fd9f4a41c389af2071dc6
-
SHA1
352f0286ccc2c4cdabe54092239b2f600d34c898
-
SHA256
586f683570e1dee78b376a2feeaf0e73f04a668ce82f0fe765eff566b3887af7
-
SHA512
35d97a99f74dfa33afe37bcd04fc5f4de6c38eb163b9fa84a20d0b2a507276b7abb27a4abe0caba0ce8c929ef238d554913465509f971d2246dab23c5e66498c
-
SSDEEP
12288:W5k+Yqaxrh3Nln+N52fIA4jbsvZzGyA4:gY9xrh3NDfIA4jOZ
Behavioral task
behavioral1
Sample
09_deb64ed.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
09_deb64ed.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
RemoteHost-16465
rem.aaahorneswll.com:16465
31.13.224.230:16465
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-80V4Z7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
09_deb64ed.exe
-
Size
483KB
-
MD5
f080e8592d9fd9f4a41c389af2071dc6
-
SHA1
352f0286ccc2c4cdabe54092239b2f600d34c898
-
SHA256
586f683570e1dee78b376a2feeaf0e73f04a668ce82f0fe765eff566b3887af7
-
SHA512
35d97a99f74dfa33afe37bcd04fc5f4de6c38eb163b9fa84a20d0b2a507276b7abb27a4abe0caba0ce8c929ef238d554913465509f971d2246dab23c5e66498c
-
SSDEEP
12288:W5k+Yqaxrh3Nln+N52fIA4jbsvZzGyA4:gY9xrh3NDfIA4jOZ
-
Remcos family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-