General
-
Target
c69b2064c89c254dbeda8f204b3a60ab753816ddff618be9d593cb9839cfe09d.exe
-
Size
779KB
-
Sample
241205-dtnhsssjfj
-
MD5
935bdb714d2c6a118e9c6bfd941084b8
-
SHA1
817f3f195d61d459fbbdac24e5a4f014d927edcf
-
SHA256
c69b2064c89c254dbeda8f204b3a60ab753816ddff618be9d593cb9839cfe09d
-
SHA512
6915674b2cf0bbc300f18dc26fd983bb69d5ddf8ec7d00831915ae6d5602d0b770d5e785ab8b0d33b9e0c353773e2777273ff6e8383d7332a54fe2440976ede4
-
SSDEEP
12288:XXa6zw6GW2F+5XizizdI+9kUWM6vQWO0v1wb1EVLz56TE/n0koAHf9qo05bWYpD/:XXal655XEIimkUd0dPpL04/9X05bj
Static task
static1
Behavioral task
behavioral1
Sample
c69b2064c89c254dbeda8f204b3a60ab753816ddff618be9d593cb9839cfe09d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c69b2064c89c254dbeda8f204b3a60ab753816ddff618be9d593cb9839cfe09d.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Burglarproofs/bordskaaneren.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Burglarproofs/bordskaaneren.ps1
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
RemoteHost
185.29.10.213:63650
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-NJ8CFR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
c69b2064c89c254dbeda8f204b3a60ab753816ddff618be9d593cb9839cfe09d.exe
-
Size
779KB
-
MD5
935bdb714d2c6a118e9c6bfd941084b8
-
SHA1
817f3f195d61d459fbbdac24e5a4f014d927edcf
-
SHA256
c69b2064c89c254dbeda8f204b3a60ab753816ddff618be9d593cb9839cfe09d
-
SHA512
6915674b2cf0bbc300f18dc26fd983bb69d5ddf8ec7d00831915ae6d5602d0b770d5e785ab8b0d33b9e0c353773e2777273ff6e8383d7332a54fe2440976ede4
-
SSDEEP
12288:XXa6zw6GW2F+5XizizdI+9kUWM6vQWO0v1wb1EVLz56TE/n0koAHf9qo05bWYpD/:XXal655XEIimkUd0dPpL04/9X05bj
Score10/10-
Remcos family
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Burglarproofs/bordskaaneren.Exp
-
Size
55KB
-
MD5
755fb54225dd285b06c369a2f5e58082
-
SHA1
f87f62424d1e437c7bd3b8c5fad3ed40269f140a
-
SHA256
81e5c8c7b98950c580ef3681dca6bfb2729cc82e862dabc118a53442c4c96bc1
-
SHA512
4efea102c5076a541f96a788d88dc550195abc0a464b0d36638a8502836077f9c02e0a636c1f9654c693a7c853df0e6b99eaf6f0d4e5ffb0f81ae64690b3c915
-
SSDEEP
768:WaLT5CxcsKDtyp82tKMAMtIDFX7a+I+peEGQO6GmJ14YNy39RS8QEw0AEEL8Rp5E:R4w+EQ+Dk/k/GYNy39g8oWsUp5+ddV4g
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1