General
-
Target
13112024_0149_OCBC.PaymentAdvice.pdf.exe.iso
-
Size
76KB
-
Sample
241113-b86a2sxpcj
-
MD5
80b5f7eaba74d8d03bdb37e4d2fa3646
-
SHA1
f12b66daf42c7b886e258a91a507b22ff1a0eb9d
-
SHA256
ed11a1720faafbb6e931be84e0159e6f57886ccc928e9c1bf007b4c6bf2c4d2b
-
SHA512
987b82192e52f5f49a62d64aee8e0cebac29842c5366ad72e4132898e29ad745f3643e10a5aa0364e0bd7d0083c98a236c21f9ffb2ed716910d5fb5efe6b7deb
-
SSDEEP
192:X9q/z/Yk+pxEnFgA/Wh764JziWHCEvNesGIN:X9Q8vpxEnFgf76UvvNesJ
Static task
static1
Behavioral task
behavioral1
Sample
OCBC.PaymentAdvice.pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
OCBC.PaymentAdvice.pdf.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
RemoteHost
204.10.160.239:9682
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-6D4L9S
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
OCBC.PaymentAdvice.pdf.exe
-
Size
25KB
-
MD5
3b545f7f4f5f5ae844a1743a51877f45
-
SHA1
5f423addc5664d4706a7bc1929e2f824848b12a6
-
SHA256
104b35f5d9c703f0c6b45ce79ec5c7023bf33681c303855ea03ceff56786dcef
-
SHA512
2b509774413dcb03fc83a82a20039d52f18b769ee83d21c7789628fe3967321479f6b6b11e5fb39740687d9763052188a0ced296679402d7e3f7dd4e449ac10e
-
SSDEEP
192:8/z/Yk+pxEnFgA/Wh764JziWHCEvNesGIN:q8vpxEnFgf76UvvNesJ
-
Remcos family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Drops startup file
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-