General
-
Target
DEMASI-24-12B DOC. SCAN.exe
-
Size
699KB
-
Sample
241112-n31vlavpck
-
MD5
63d2f97a6de92084873293a617e685db
-
SHA1
423997f0830a1f833d7c1e6b615ac84850b298a1
-
SHA256
a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99
-
SHA512
2954eb36e39cbfa18c024dae9536d42b4f2eecf16bf3db623e0efc3f1a7ba02f9df4a1831abb4315b03b83c7497278b10f8001ea484cc31da8352f265f214743
-
SSDEEP
12288:E3cAEjow+kXtp28J4cGUhl+n0kbd6t21Rwm3+9rtQEFoxB50+tNADhZebeEkO/:E3cAEjow+kXf28J4cGeAn0Ttzm3EruEa
Static task
static1
Behavioral task
behavioral1
Sample
DEMASI-24-12B DOC. SCAN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DEMASI-24-12B DOC. SCAN.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
ReBorn
gerfourt99lahjou2.duckdns.org:3487
gerfourt99lahjou2.duckdns.org:3488
gerfourt99lahjou3.duckdns.org:3487
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
ksaourts.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
ksajoutr-WG0CPT
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
DEMASI-24-12B DOC. SCAN.exe
-
Size
699KB
-
MD5
63d2f97a6de92084873293a617e685db
-
SHA1
423997f0830a1f833d7c1e6b615ac84850b298a1
-
SHA256
a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99
-
SHA512
2954eb36e39cbfa18c024dae9536d42b4f2eecf16bf3db623e0efc3f1a7ba02f9df4a1831abb4315b03b83c7497278b10f8001ea484cc31da8352f265f214743
-
SSDEEP
12288:E3cAEjow+kXtp28J4cGUhl+n0kbd6t21Rwm3+9rtQEFoxB50+tNADhZebeEkO/:E3cAEjow+kXf28J4cGeAn0Ttzm3EruEa
-
Remcos family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
12b140583e3273ee1f65016becea58c4
-
SHA1
92df24d11797fefd2e1f8d29be9dfd67c56c1ada
-
SHA256
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
-
SHA512
49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a
-
SSDEEP
192:gFiQJ77pJp17C8F1A5xjGNxrgFOgb7lrT/nC93:E7pJp48F2exrg5F/C
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1