SMALL_LOADER.pdb
General
-
Target
037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08
-
Size
66.0MB
-
MD5
c16a4350adcf178d59431acb20b7de46
-
SHA1
3a050c1a2a91e42c96635f860da57e8a80b6935b
-
SHA256
037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08
-
SHA512
b02673ae74d7ac60b9f1ab314300b9aae967267df106154e59b017fa99033a505e620a998952e1344de6fd59dd77ee9c78aac0d016c072b1f30b351a612cf29e
-
SSDEEP
1572864:esy8oDJztDnendZL0mB6B0veVP+MoE7tMfaUz8H1BqFuMId:48+JdedNB66YP+VOtMfaUz87Xd
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
zynova
C2
michelgoodsupportingtems.duckdns.org:14645
Attributes
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GLHI75
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
Family
remcos
Botnet
RemoteHost
C2
216.9.225.133:10890
216.9.225.133:57089
216.9.225.133:49067
Attributes
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
egde
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
Rmc-616IW3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detect Neshta payload 1 IoCs
-
MedusaLocker payload 1 IoCs
-
Medusalocker family
-
Mimikatz family
-
Neshta family
-
Remcos family
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Detects Pyinstaller 1 IoCs
-
Unsigned PE 29 IoCs
Checks for missing Authenticode signature.
Files
-
037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08
-
__MACOSX/void/._main.exe
-
__MACOSX/void/._main.py
-
__MACOSX/void/._output.zip
-
void/0394b475234ecc6f752ecdd9f7e5ea28cebe404e5db6a8cf2f9019915c4ddf43.exe
41e05d591d7d93bdd5bc6d5da04da74b
Headers
Imports
Sections
-
void/0aa210086ab837dea1a26dd45a661f7f78ea90d243c6fad74cd4772325bff20f.elf
-
void/250bb552893533d2e47ca18faa6f3026495d47bae799046c07749726f2f9c213.exe
eb97e4fc5518ac300a92a11673825e0b
Headers
Imports
Sections
-
void/257ffa778469d570082f7cfff1ad199a9bffffc278e9c012bea17d02393b95b4.exe
0fe08d485f9fbdde8ce74f7af370f432
Headers
Imports
Sections
-
void/3720875269fee71bfa7b07171bc78dfedddd95d32ecf5bd7f2ade07035c25e92.elf
-
void/37bbcc3c395c87a1373282cb5ebf15bca58d1569aa2ed994dd974c91694a4a98.unknown
-
void/43958be574c6a890961e38fa91710b15261d9b388d08c2b899219886f2ab710d.exe
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
Imports
Sections
-
void/469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1
-
void/57d336476264555c66a27678b566929904e125e30f9be185b6ef86235e8cd309.unknown
-
void/5a099db04b83c828b23e283d7bead0eed7e6c2e415a2632d5546bf776a54ac8b.exe
Headers
Sections
-
void/72cb96390164439710b0ab64f8b0e211d49875a0f4ea402da22a0269794891de.elf
-
void/7305516a3c2ef76a10be8dc65d0de1d446ad157abd51e84a2e0f3979fc6c4490.exe
e77512f955eaf60ccff45e02d69234de
Headers
Imports
Sections
-
void/75e13f8b1cfe3c72e918dba5b70f9040b3605e753e97b6011870fa123fd62d03.zip
Password: infected
-
การชำระเงินครั้งสุดท้าย.exe
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
Imports
Sections
-
void/7ac644fc3b59f9ae6995a9cc57c39aee97ac89b3d25652c29c9a3269a02db2d2.exe
0fe08d485f9fbdde8ce74f7af370f432
Headers
Imports
Sections
-
void/7b380357933497fe52439da94472b6cc7564fe5c852def28d4843c1a15792bcc.dmg
-
Brew/.DS_Store
-
Brew/.VolumeIcon.icns
-
Brew/.background/IKBwioj8.png
-
Brew/Brew
-
Brew/Brew:rsrc
-
void/7dec88c2ec34b8483abc44e98ec843877cc5ae88e094c90d46bbabfafdf3749a.html
-
void/80e6e20e66c60f7392af8f501b07f8a10893f8c426acd6bdb42ea50738e6fae3.exe
e77512f955eaf60ccff45e02d69234de
Headers
Imports
Sections
-
void/82231216bb55678a4bc192c1f0f180121ffc0a6278dcd1d6d9db8bea784ccf6b.exe
0fe08d485f9fbdde8ce74f7af370f432
Headers
Imports
Sections
-
void/8732ecc7dd6bb49a644d7ca3edadd316657b2508a013da09db0f5b3c5c036c71.exe
0fe08d485f9fbdde8ce74f7af370f432
Headers
Imports
Sections
-
void/8c55a86afc661db10bbe1a1d2ab249a5b30fc1fe4b6738ad3ed69546ea045897.elf
-
void/8cc0af07f6a734190daa831d3636db4d88a5c9e74872ebcfb3aa9b5beea77804.exe
ccf5b7744abd75e2692f1db42cf2f740
Headers
Imports
Sections
-
void/90bc7719a879aa092fc8c30c4eee199eac8980d2228f5d6cb33b24f1d5c4f738.exe
7182b1ea6f92adbf459a2c65d8d4dd9e
Headers
Imports
Sections
-
void/9e823b1176abb26551e17313ffce881ef7cf3955abe9d77653d7ff561e42f895.exe
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
Imports
Sections
-
void/b16e1cc7ec8168452d5108a181747669fe6336e3232716dc9649ed8e3733e32c.exe
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
Imports
Sections
-
void/b2493a580153291b69ca23190d00a00b1220cd0aadf469b3974fdaa726516649.exe
Headers
Sections
-
void/b263cffd4ddc9c3a3d69389688f8b2c0304c07369532c636a9bba34a0edd7d67.exe
eb97e4fc5518ac300a92a11673825e0b
Headers
Imports
Sections
-
void/b4d1b6f6c79d8278e5a05f24cfae5b4d23c2270ce2631e2e367831e77c2921dc.exe
eb97e4fc5518ac300a92a11673825e0b
Headers
Imports
Sections
-
void/ca4623861bafcadd04c72ddc379c076a000787d0f740b2229941653e79beb0e3.uue
-
Vertragsdokument.PDF/Vertragsdokument.exe
eb97e4fc5518ac300a92a11673825e0b
Headers
Imports
Sections
-
void/cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
Headers
Sections
-
void/d8ebe3fe44f5ec98822ba98e3a05daca1fb03e337668fa0380f9d93e49289040.exe
Headers
Sections
-
void/da0ff077f0d8f76845ff3de1dace71e4728fa64b5e93c30ed83389f5622a1105.exe
e77512f955eaf60ccff45e02d69234de
Headers
Imports
Sections
-
void/f1c5f3315ca2949fae58fb0f80df0e7d267328b1c5d5eaab37064a749a812e92.elf
-
void/f6d9fed051403b8b54ce228c4a84b91e1cd00628e7fe10e2391a009ad9a679a3.dll
1d54832fcbae6612dbe34fac996ed24e
Headers
Imports
Exports
Sections
-
void/f894fec166c68510a559fbe166f1aefc1c7ce0a23619687267d3f3ea08d024bf.exe
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
Imports
Sections
-
void/f8f141fd3566bf1d628edc7dcf31aca5f71242f8d8188c081fafa744d0864d5c.exe
Headers
Sections
-
void/fb8ce4287ed514447ac2cb3597cc60ad5fda7ad5beb805bb6ce3d89a58128090.elf
-
void/fc49acd7008a83ffacc002b6fb17f883d5105087a251dee4b76276ba745d67b9.elf
-
void/fc6e2360ec42b0162ca6c115a87359ddb884735669a408df62d03a695554d934 2.exe
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
Imports
Sections
-
void/fc6e2360ec42b0162ca6c115a87359ddb884735669a408df62d03a695554d934.exe
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
Imports
Sections
-
void/fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a.exe
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
Imports
Sections
-
void/main.exe
-
void/main.py
-
void/main.zip
-
__MACOSX/._main.py
-
main.py
8c1be39b6ace6c7da85b7edd83bef6f8
Code Sign
Headers
Imports
Sections
-
void/output.zip
-
main/_internal/VCRUNTIME140.dll
7f07fd94e5bb907093556781cc464017
Code Sign
Headers
Imports
Exports
Sections
-
main/_internal/_bz2.pyd
d0a62ab71a2b2ca69c6aba1f0a37fcdd
Code Sign
Headers
Imports
Exports
Sections
-
main/_internal/_decimal.pyd
b02a72bdacadb5125f4512c9f749cfea
Code Sign
Headers
Imports
Exports
Sections
-
main/_internal/_hashlib.pyd
02e7e9437b7e711286b4b21f873e174b
Code Sign
Headers
Imports
Exports
Sections
-
main/_internal/_lzma.pyd
c39c7a021b2adfc11bb34f105f70355e
Code Sign
Headers
Imports
Exports
Sections
-
main/_internal/_socket.pyd
332065e5d19d708832b034da27e5571a
Code Sign
Headers
Imports
Exports
Sections
-
main/_internal/base_library.zip
-
_collections_abc.pyc
-
_weakrefset.pyc
-
abc.pyc
-
codecs.pyc
-
collections/__init__.pyc
-
collections/abc.pyc
-
copyreg.pyc
-
encodings/__init__.pyc
-
encodings/aliases.pyc
-
encodings/ascii.pyc
-
encodings/base64_codec.pyc
-
encodings/big5.pyc
-
encodings/big5hkscs.pyc
-
encodings/bz2_codec.pyc
-
encodings/charmap.pyc
-
encodings/cp037.pyc
-
encodings/cp1006.pyc
-
encodings/cp1026.pyc
-
encodings/cp1125.pyc
-
encodings/cp1140.pyc
-
encodings/cp1250.pyc
-
encodings/cp1251.pyc
-
encodings/cp1252.pyc
-
encodings/cp1253.pyc
-
encodings/cp1254.pyc
-
encodings/cp1255.pyc
-
encodings/cp1256.pyc
-
encodings/cp1257.pyc
-
encodings/cp1258.pyc
-
encodings/cp273.pyc
-
encodings/cp424.pyc
-
encodings/cp437.pyc
-
encodings/cp500.pyc
-
encodings/cp720.pyc
-
encodings/cp737.pyc
-
encodings/cp775.pyc
-
encodings/cp850.pyc
-
encodings/cp852.pyc
-
encodings/cp855.pyc
-
encodings/cp856.pyc
-
encodings/cp857.pyc
-
encodings/cp858.pyc
-
encodings/cp860.pyc
-
encodings/cp861.pyc
-
encodings/cp862.pyc
-
encodings/cp863.pyc
-
encodings/cp864.pyc
-
encodings/cp865.pyc
-
encodings/cp866.pyc
-
encodings/cp869.pyc
-
encodings/cp874.pyc
-
encodings/cp875.pyc
-
encodings/cp932.pyc
-
encodings/cp949.pyc
-
encodings/cp950.pyc
-
encodings/euc_jis_2004.pyc
-
encodings/euc_jisx0213.pyc
-
encodings/euc_jp.pyc
-
encodings/euc_kr.pyc
-
encodings/gb18030.pyc
-
encodings/gb2312.pyc
-
encodings/gbk.pyc
-
encodings/hex_codec.pyc
-
encodings/hp_roman8.pyc
-
encodings/hz.pyc
-
encodings/idna.pyc
-
encodings/iso2022_jp.pyc
-
encodings/iso2022_jp_1.pyc
-
encodings/iso2022_jp_2.pyc
-
encodings/iso2022_jp_2004.pyc
-
encodings/iso2022_jp_3.pyc
-
encodings/iso2022_jp_ext.pyc
-
encodings/iso2022_kr.pyc
-
encodings/iso8859_1.pyc
-
encodings/iso8859_10.pyc
-
encodings/iso8859_11.pyc
-
encodings/iso8859_13.pyc
-
encodings/iso8859_14.pyc
-
encodings/iso8859_15.pyc
-
encodings/iso8859_16.pyc
-
encodings/iso8859_2.pyc
-
encodings/iso8859_3.pyc
-
encodings/iso8859_4.pyc
-
encodings/iso8859_5.pyc
-
encodings/iso8859_6.pyc
-
encodings/iso8859_7.pyc
-
encodings/iso8859_8.pyc
-
encodings/iso8859_9.pyc
-
encodings/johab.pyc
-
encodings/koi8_r.pyc
-
encodings/koi8_t.pyc
-
encodings/koi8_u.pyc
-
encodings/kz1048.pyc
-
encodings/latin_1.pyc
-
encodings/mac_arabic.pyc
-
encodings/mac_croatian.pyc
-
encodings/mac_cyrillic.pyc
-
encodings/mac_farsi.pyc
-
encodings/mac_greek.pyc
-
encodings/mac_iceland.pyc
-
encodings/mac_latin2.pyc
-
encodings/mac_roman.pyc
-
encodings/mac_romanian.pyc
-
encodings/mac_turkish.pyc
-
encodings/mbcs.pyc
-
encodings/oem.pyc
-
encodings/palmos.pyc
-
encodings/ptcp154.pyc
-
encodings/punycode.pyc
-
encodings/quopri_codec.pyc
-
encodings/raw_unicode_escape.pyc
-
encodings/rot_13.pyc
-
encodings/shift_jis.pyc
-
encodings/shift_jis_2004.pyc
-
encodings/shift_jisx0213.pyc
-
encodings/tis_620.pyc
-
encodings/undefined.pyc
-
encodings/unicode_escape.pyc
-
encodings/utf_16.pyc
-
encodings/utf_16_be.pyc
-
encodings/utf_16_le.pyc
-
encodings/utf_32.pyc
-
encodings/utf_32_be.pyc
-
encodings/utf_32_le.pyc
-
encodings/utf_7.pyc
-
encodings/utf_8.pyc
-
encodings/utf_8_sig.pyc
-
encodings/uu_codec.pyc
-
encodings/zlib_codec.pyc
-
enum.pyc
-
functools.pyc
-
genericpath.pyc
-
heapq.pyc
-
io.pyc
-
keyword.pyc
-
linecache.pyc
-
locale.pyc
-
ntpath.pyc
-
operator.pyc
-
os.pyc
-
posixpath.pyc
-
re/__init__.pyc
-
re/_casefix.pyc
-
re/_compiler.pyc
-
re/_constants.pyc
-
re/_parser.pyc
-
reprlib.pyc
-
sre_compile.pyc
-
sre_constants.pyc
-
sre_parse.pyc
-
stat.pyc
-
traceback.pyc
-
types.pyc
-
warnings.pyc
-
weakref.pyc
-
main/_internal/libcrypto-3.dll
40bce6a23883072a66c68006f08e105c
Code Sign
Headers
Imports
Exports
Sections
-
main/_internal/python311.dll
58719147041fe606491d4732e2dee131
Code Sign
Headers
Imports
Exports
Sections
-
main/_internal/select.pyd
fc4f7d736924aa67a1bd7b7b80894df9
Code Sign
Headers
Imports
Exports
Sections
-
main/_internal/unicodedata.pyd
bb6f6d951dbdd290ecf382ca57459172
Code Sign
Headers
Imports
Exports
Sections
-
main/main.exe
33742414196e45b8b306a928e178f844
Headers
Imports
Sections
-
main.pyc