General
-
Target
r12d12.space_b.txt.ps1.ps1
-
Size
1KB
-
Sample
241207-a4pxtswqfz
-
MD5
35c92f4cd446344a166cbf83dbf0ff15
-
SHA1
e06f98c2f5f82eab44226937d5ce29600f407dcf
-
SHA256
8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39
-
SHA512
63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da
Static task
static1
Behavioral task
behavioral1
Sample
r12d12.space_b.txt.ps1
Resource
win7-20240729-en
Malware Config
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
Extracted
remcos
Crypt04
185.208.158.161:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
crashhandlerinfo
-
mouse_option
false
-
mutex
Rmc-F12W9O
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
lumma
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Targets
-
-
Target
r12d12.space_b.txt.ps1.ps1
-
Size
1KB
-
MD5
35c92f4cd446344a166cbf83dbf0ff15
-
SHA1
e06f98c2f5f82eab44226937d5ce29600f407dcf
-
SHA256
8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39
-
SHA512
63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da
-
Lumma family
-
Parallax family
-
ParallaxRat payload
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
-
Remcos family
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-