General
-
Target
Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
-
Size
759KB
-
Sample
241216-thcj6avjhx
-
MD5
e1dc71be5b3466d47a4934013be9b604
-
SHA1
4c6627a901ade3b1f0cd6a233085deb7e044ef97
-
SHA256
1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
-
SHA512
a44f75ea0eac848dd2b724b9a50fb5b0259382f61a047563689381e3a60fc07547c209b2acdddcb1dae371cdf51f0065e2a89ff0276299c0d72928af87c9aafc
-
SSDEEP
12288:GtomEHbPQsIbw8Z9TzDBWzowh0Nxj5gUZVroN64V23i3Qo+eSp5:TN7PXIdZlDBWUrx5gAVroNFHzU
Static task
static1
Behavioral task
behavioral1
Sample
Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
RemoteHost
162.251.122.87:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-UOMZ21
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
-
Size
759KB
-
MD5
e1dc71be5b3466d47a4934013be9b604
-
SHA1
4c6627a901ade3b1f0cd6a233085deb7e044ef97
-
SHA256
1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
-
SHA512
a44f75ea0eac848dd2b724b9a50fb5b0259382f61a047563689381e3a60fc07547c209b2acdddcb1dae371cdf51f0065e2a89ff0276299c0d72928af87c9aafc
-
SSDEEP
12288:GtomEHbPQsIbw8Z9TzDBWzowh0Nxj5gUZVroN64V23i3Qo+eSp5:TN7PXIdZlDBWUrx5gAVroNFHzU
-
Guloader family
-
Remcos family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
ca332bb753b0775d5e806e236ddcec55
-
SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
-
SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
-
SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
SSDEEP
192:eo24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol6Sl:k8QIl975eXqlWBrz7YLOl6
Score3/10 -