General
-
Target
COTIZACIONSyCONSULTA#46789NOV24.bat.exe
-
Size
696KB
-
Sample
241113-h6m51sxdqh
-
MD5
9481aae46f5f383c4cf6e5b3dacd68b4
-
SHA1
580a6fc8fb6c6609cfcd356e9894cdb5318135ee
-
SHA256
857596f38c587a4a832bdd9136cc593ab7073ca3bda87b513e4e13ee31af0a32
-
SHA512
ecc96befec7561eb4e5320f22f48d6fb0ddf837a8ba1eee6b823a80ff81b874f8553ef83001612d31d7a3b4a441e1fed2664ed40e10c72efca8e95a0da1c0b90
-
SSDEEP
12288:z8bn1Tfr3YmR1j+uP30YcUbA3pPru8escoGcZhAkFN2ZTyWy0ctqhm2V7P:zun1XdRV+u/Lcj3pusccAgN2ZT1HI2VD
Static task
static1
Behavioral task
behavioral1
Sample
COTIZACIONSyCONSULTA#46789NOV24.bat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
COTIZACIONSyCONSULTA#46789NOV24.bat.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Hypermyotonia/Selvskyldnerkautioners166.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Hypermyotonia/Selvskyldnerkautioners166.ps1
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
SLAVES
windowslavesclient.duckdns.org:1604
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-J3MJAP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
COTIZACIONSyCONSULTA#46789NOV24.bat.exe
-
Size
696KB
-
MD5
9481aae46f5f383c4cf6e5b3dacd68b4
-
SHA1
580a6fc8fb6c6609cfcd356e9894cdb5318135ee
-
SHA256
857596f38c587a4a832bdd9136cc593ab7073ca3bda87b513e4e13ee31af0a32
-
SHA512
ecc96befec7561eb4e5320f22f48d6fb0ddf837a8ba1eee6b823a80ff81b874f8553ef83001612d31d7a3b4a441e1fed2664ed40e10c72efca8e95a0da1c0b90
-
SSDEEP
12288:z8bn1Tfr3YmR1j+uP30YcUbA3pPru8escoGcZhAkFN2ZTyWy0ctqhm2V7P:zun1XdRV+u/Lcj3pusccAgN2ZT1HI2VD
-
Remcos family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Accesses Microsoft Outlook accounts
-
Blocklisted process makes network request
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Hypermyotonia/Selvskyldnerkautioners166.Ove
-
Size
54KB
-
MD5
dc17cbe567137cd2180d5d9008408c1b
-
SHA1
f6d6cb48deacb371ae5e948b614216411a957b8a
-
SHA256
a39ec711eead243210ca0061a2b0365b86f40b5114a4a17286960a36c668053d
-
SHA512
64bf594a0cee26fbdfafac1d552a7ab4dedbc566fa58d4af1c3bc22a6d11814e0511daed2cb8725b7d3c0a91765a980b2ebc4836c09fad159282db01edb64833
-
SSDEEP
768:Yl0M2fXsstjro7/vPAGoffMSMNg8NvcJ4b0UnCJTyOOLqOAPRJi4FQmJQKJa8TDS:Ylr+Je7XAGIHMN7c9O/0q4X7DkKc
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-