Overview
overview
10Static
static
1021f28d08dc...4a.exe
windows7-x64
1021f28d08dc...4a.exe
windows10-2004-x64
1021f66f607b...31.exe
windows7-x64
1021f66f607b...31.exe
windows10-2004-x64
102225aa5547...66.exe
windows7-x64
102225aa5547...66.exe
windows10-2004-x64
10229543f6c7...72.exe
windows7-x64
10229543f6c7...72.exe
windows10-2004-x64
10229ce4ad22...42.exe
windows7-x64
10229ce4ad22...42.exe
windows10-2004-x64
1022ce8222d2...5b.exe
windows7-x64
1022ce8222d2...5b.exe
windows10-2004-x64
1022e982850d...20.exe
windows7-x64
1022e982850d...20.exe
windows10-2004-x64
1022f097b0a0...91.exe
windows7-x64
122f097b0a0...91.exe
windows10-2004-x64
122f1f6e81e...ff.exe
windows7-x64
1022f1f6e81e...ff.exe
windows10-2004-x64
10231f156f9f...36.exe
windows7-x64
10231f156f9f...36.exe
windows10-2004-x64
1023f2f3a3cd...99.exe
windows7-x64
1023f2f3a3cd...99.exe
windows10-2004-x64
1023f9b03d2d...b9.exe
windows7-x64
1023f9b03d2d...b9.exe
windows10-2004-x64
1023ff6ba14d...91.exe
windows7-x64
1023ff6ba14d...91.exe
windows10-2004-x64
10241c1d05ad...47.exe
windows7-x64
10241c1d05ad...47.exe
windows10-2004-x64
10243242e581...fc.exe
windows7-x64
1243242e581...fc.exe
windows10-2004-x64
124333d13e7...f5.exe
windows7-x64
1024333d13e7...f5.exe
windows10-2004-x64
10General
-
Target
archive_9.zip
-
Size
49.0MB
-
Sample
250322-gwdcdstjs4
-
MD5
900f25e26fe68be65ab8c7737b7d6ef4
-
SHA1
02447d2ba8d6304c1b76d6f4acf42866edd8f6cd
-
SHA256
add6234329d65ae878b6112d7d63d6641b842d28c0fa2fa5fbbb09a1b835bc0c
-
SHA512
36fd78ffa372790d21dce85e2a6cae105a1cce4a92aa9f52c74625676018c25a97b94cb680f39dbf94051b3966e35c3be56dc3ed57c0785c8ad57b524da0c341
-
SSDEEP
1572864:C9gd+BaNd33byiU4BBi7yyzjJOkxeQ6Q6:Ogd+Bam4BBYyyz0/Q6Q6
Behavioral task
behavioral1
Sample
21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
21f66f607b86f4db433d605d92d00531.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
21f66f607b86f4db433d605d92d00531.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
2225aa5547f360f85048a5ead0ad3d980d89c0d213fb60544912c2eafa29c366.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
2225aa5547f360f85048a5ead0ad3d980d89c0d213fb60544912c2eafa29c366.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
229543f6c7784759f628c2f004852272.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
229543f6c7784759f628c2f004852272.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
229ce4ad220d6fc570b37e681d37ace4c11216f0a6a879701a174aac5c4c2142.exe
Resource
win7-20250207-en
Behavioral task
behavioral10
Sample
229ce4ad220d6fc570b37e681d37ace4c11216f0a6a879701a174aac5c4c2142.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
22ce8222d21c2d1a2d81b3f6e624d15b.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
22ce8222d21c2d1a2d81b3f6e624d15b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
22e982850d21652c4a32b8c048f19b20.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
22e982850d21652c4a32b8c048f19b20.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
22f097b0a0666aaffb57efec67cc00dc69e1b624bdfb4c7ea69627a07cf12691.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
22f097b0a0666aaffb57efec67cc00dc69e1b624bdfb4c7ea69627a07cf12691.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
22f1f6e81e6bd6c160bd96c4742040f6d275ae30664f7074f3cfdba83bf356ff.exe
Resource
win7-20250207-en
Behavioral task
behavioral18
Sample
22f1f6e81e6bd6c160bd96c4742040f6d275ae30664f7074f3cfdba83bf356ff.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
231f156f9f4b328156bcb91a17f2a636.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
231f156f9f4b328156bcb91a17f2a636.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
23f2f3a3cdfd8142daa853ff68baaf99.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
23f2f3a3cdfd8142daa853ff68baaf99.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
23f9b03d2df5b98862c4a8786e7c60b9.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
23f9b03d2df5b98862c4a8786e7c60b9.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
23ff6ba14d3b8f4e26b767c0e34e371c9c3ebbd812a6ffcdda48d83582c2d591.exe
Resource
win7-20241023-en
Behavioral task
behavioral26
Sample
23ff6ba14d3b8f4e26b767c0e34e371c9c3ebbd812a6ffcdda48d83582c2d591.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
241c1d05adf291569126403b9a0e97c1c0beebbf68a5a4c9c6dad1a9f2f7a347.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
241c1d05adf291569126403b9a0e97c1c0beebbf68a5a4c9c6dad1a9f2f7a347.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
243242e5813fdbd8135ecb71808ecb70acf43e6c2bbfa8a0c5132c1fab67adfc.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
243242e5813fdbd8135ecb71808ecb70acf43e6c2bbfa8a0c5132c1fab67adfc.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral31
Sample
24333d13e7b86f4e510460d2dd15aec988c73187602e961b434f12ee69f8e2f5.exe
Resource
win7-20240903-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1352294120709816320/BHrRyBn4V7i1bP_r17TDUnQrDR-Nt8f9Cwlc27StMgKmxuDQUJKQDuQmJhn28FCc1hAO
https://discord.com/api/webhooks/1351960627916046548/sMCVB7IW3xO9VYRI077To74W-rwcNv72ZfhSKGZQEhb_LIo_Y_mlEqd4E1zkI_gaMve_
Extracted
xworm
5.0
212.224.93.247:5605
45.154.98.175:6969
larger-pose.gl.at.ply.gg:5114
9Ydyo7uUL1dNGSd5
-
install_file
USB.exe
Extracted
xworm
127.0.0.1:7000
-
install_file
USB.exe
Extracted
asyncrat
Default
27.ip.gl.ply.gg:1365
-
delay
120
-
install
true
-
install_file
svchost.exe
-
install_folder
%Temp%
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
hshshhsh
-
delay
1
-
install
true
-
install_file
6asd8sdad2183sada8213s.exe
-
install_folder
%Temp%
-
pastebin_config
https://pastebin.com/raw/LwwcrLg4
Extracted
njrat
0.7d
HacKed
aali13212.ddns.net:1177
tibeve7951.ddns.net:1177
6f3851bd96f8b2182bdbb36e94744d6e
-
reg_key
6f3851bd96f8b2182bdbb36e94744d6e
-
splitter
|'|'|
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Boy12345#
Extracted
remcos
1.7 Pro
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a.exe
-
Size
231KB
-
MD5
2f4ccda2d6d63cb86b7364cc8e5c95ec
-
SHA1
12a830b8ae0530d7db30b6e50b0593c30625bdfd
-
SHA256
21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a
-
SHA512
0b6c799dd8e6b9c0ce84266de52492a3f705a15888720415fe479e3b03deadcde88b2fdd7c56320dea703d7eb5358edaa1fa5fb23f3ce09de296befc4966946f
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD4NVyQdLocD0abtIExXdb8e1mvoDi:DoZtL+EP8NVyQdLocD0abtIExtIoO
-
Detect Umbral payload
-
Umbral family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
21f66f607b86f4db433d605d92d00531.exe
-
Size
1.6MB
-
MD5
21f66f607b86f4db433d605d92d00531
-
SHA1
f40284412b592f66288656c9883f1c740bfd6fab
-
SHA256
7ed1f0270ecdcff9af42e3f4e54689cb96ddbe26d370e848942d08dc3e5fa9ea
-
SHA512
9543327ed0c632e39ad6204c1371ee9cfa152079c5fd01f3dc8aaf9b4bc992315cc05b4fc509b6e718116ff75785c525256e7570706b1b2ffb41a250ae89ab73
-
SSDEEP
24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
2225aa5547f360f85048a5ead0ad3d980d89c0d213fb60544912c2eafa29c366.exe
-
Size
1.9MB
-
MD5
b9867e22e55a07a407707cab1812c4cf
-
SHA1
d2a0e5476d102309a84319b95fa223aee8be2be9
-
SHA256
2225aa5547f360f85048a5ead0ad3d980d89c0d213fb60544912c2eafa29c366
-
SHA512
afc0dea22b1c6efd6c801b38cdce7df0693df5da59f046f90808698eada1f630224d524dd918505ecaa672c3f106d893d30828d05a4966a22f02b6328a63d859
-
SSDEEP
24576:yD39dlfGQrFUspugRNJI2DJnUw9W/j+BeKJWqwH6L:yF+QrFUBgq25eKu6L
-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
229543f6c7784759f628c2f004852272.exe
-
Size
32KB
-
MD5
229543f6c7784759f628c2f004852272
-
SHA1
feb176062c0bebc6bc91bf42b6fe7463d562c7ee
-
SHA256
56d00fee64f6ab77f9b4dce829a8fa1e2d94ee968718a8ab007c8dd4144328b8
-
SHA512
9058cd91a0c010e79db2ce3af2be6d1fc5cb29b1c80ba359df7d395119110636bff024c0fbb8514e93833aafe036c41355566f0a97ecd9c4cfee5f7ba5fe869e
-
SSDEEP
768:SVa+vNtg+PB93Tw4eJdVFE9j1NOjhtbT:8vNtgw93U4e9FE9j3Ojjn
-
Detect Xworm Payload
-
Xworm family
-
-
-
Target
229ce4ad220d6fc570b37e681d37ace4c11216f0a6a879701a174aac5c4c2142.exe
-
Size
229KB
-
MD5
18c63a90674dfd9ce20787856a3eab57
-
SHA1
060399c3b7edbeaf034b8b1d40ea75e48b235bbb
-
SHA256
229ce4ad220d6fc570b37e681d37ace4c11216f0a6a879701a174aac5c4c2142
-
SHA512
5e1ef92fe3100720d4aa0550979b1af599c4c4f3c8431a697a315a00eeb556172f64249dad3346cc7f3d7c744db353872d80f97ca40c9a2810d85f35c1d3402e
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD40uHVywvrY/hkijD6nOrb8e1mki:noZtL+EP80uHVywvrY/hkijD6n8i
-
Detect Umbral payload
-
Umbral family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
22ce8222d21c2d1a2d81b3f6e624d15b.exe
-
Size
38KB
-
MD5
22ce8222d21c2d1a2d81b3f6e624d15b
-
SHA1
98d0499b32aef982d39b2d5a4113a57cb8bd1ced
-
SHA256
e35b3b47f0fd2ab198e36f23137e77916a238764575042e5e29a94032c865561
-
SHA512
7376dd4267d88147c12d895e6db42b5954287c640f54bac637e0c1660f2d6003b712c90f7817dd944873d5a30b67967c2a34d22c7b053f5b5221dbed5f4a40cb
-
SSDEEP
384:g4LzjSrmqX84FmLuaHORSjjvUuJLLERVLGpaVrxYBox+0/pkFMAzNLTOZwg3Ocvp:tuz84c7xwRjV+Box+TFv9H63OMhU4h
Score10/10-
Detect Xworm Payload
-
Xworm family
-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
22e982850d21652c4a32b8c048f19b20.exe
-
Size
2.0MB
-
MD5
22e982850d21652c4a32b8c048f19b20
-
SHA1
f72a3ab745d1a1113965bb89a342525f30d12408
-
SHA256
a2f1356aa5651bea6110c7820ed856d54b26c8757af7a968383f167a46051c87
-
SHA512
10c1db49c4bfa962c88b08764cc581bbaf34cf8ef9ef6ea106e6cd57b529fe588d1d3f6d70596b63224acc7f9efb06450bf5a0c3a23a88d60f00a96bf512641f
-
SSDEEP
49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
-
-
Target
22f097b0a0666aaffb57efec67cc00dc69e1b624bdfb4c7ea69627a07cf12691.exe
-
Size
10.0MB
-
MD5
2f183f2569cf644c1649069538674c24
-
SHA1
24d882653c40a8c5f589e95dbb10cc3f3fb7e38a
-
SHA256
22f097b0a0666aaffb57efec67cc00dc69e1b624bdfb4c7ea69627a07cf12691
-
SHA512
26a63bae957c8cd75005e9f44d84aa8db79a7ce6ba6b850c2e50b6370f98160dac3e32b61892b2c03cc8088ac3ff02a61f3721e4733a3c44919c64a633ccce5c
-
SSDEEP
6144:S0M4eIm9AUSKWWkxUGwwlHOAmcHIbOwaWNdKfiNSvxpgkjFYJ2+hlJeutRj7ZyTY:0Im9RS7WhjkH9mEIbl9NdRP7yHilv
Score1/10 -
-
-
Target
22f1f6e81e6bd6c160bd96c4742040f6d275ae30664f7074f3cfdba83bf356ff.exe
-
Size
185KB
-
MD5
719a3ff4f666ce23233f333c2e7bdf21
-
SHA1
d242454a2618c1980e7f4e36d7713ade6caee366
-
SHA256
22f1f6e81e6bd6c160bd96c4742040f6d275ae30664f7074f3cfdba83bf356ff
-
SHA512
f0bbce39c99465f3aec2e89ba5c9ba2e7f323ba39afc7d85063ac40a5db45eeb767dead374852cf23f9ebf0daab41462d22ef07498d5885a212b54d94ba41b7f
-
SSDEEP
3072:ygt14eIX61ZAzb49qO/BvF84NpVq8BxFRzaqF+o2GQJ7/JzqVfGvp:yS14eHZAzbc98gVqwlL
-
Detect Xworm Payload
-
Xworm family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
231f156f9f4b328156bcb91a17f2a636.exe
-
Size
3.0MB
-
MD5
231f156f9f4b328156bcb91a17f2a636
-
SHA1
4a152cf18df6e69aae5dc7188dc29cae5d58c062
-
SHA256
703c6e6e766b8454ab69233c17b178c5e8cf75367a99195b00f969f0896ed15f
-
SHA512
bbd3e640ad27a495b3c967c6d69951f061b70da3205416a547da735c003ada40e7ea64de0cf3652756f7cb07d957dfb00ee1e71d70ddddabd5a9e19546301136
-
SSDEEP
49152:q/3iuoi0xrLIy5sx+3K0n+B87/2bHJC3H0oJK7rohky64a65KKRD:4SuMxAxKp+SDqHJq+zy86A
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
-
-
Target
23f2f3a3cdfd8142daa853ff68baaf99.exe
-
Size
63KB
-
MD5
23f2f3a3cdfd8142daa853ff68baaf99
-
SHA1
c31d3187ed6d0c22ea444251e6b4b457192f9ddb
-
SHA256
a9acdad51d3734d9b20c064edd822c12ab0652bbc8fee7b614bf958a8dfc3f29
-
SHA512
aaea969d2be58c8f90298261b059f2be39dad96700549251ad84d59f4eabfde104b5af512a281016acee9ac4261146fdea6a22e750e265cad144feb22a7d106a
-
SSDEEP
768:ekh9PXn1w787gC8A+XvqazcBRL5JTk1+T4KSBGHmDbD/ph0oXLb8/odR2sYuSu3p:VR1gMdSJYUbdh9Lb8W2D5u35pqKmY7
-
Asyncrat family
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
23f9b03d2df5b98862c4a8786e7c60b9.exe
-
Size
5.9MB
-
MD5
23f9b03d2df5b98862c4a8786e7c60b9
-
SHA1
e6fee163376604e213286ef0729e9d7b4333ff24
-
SHA256
d8d10225adab6ebd9664f4ea8238a53b39ebe518df431ec221859221815b1177
-
SHA512
f9dc66a4e101f09e2c59a364e439232fc89cd4040ffa920021bf3b93a5c45f6d74c03e88f029c5c7fa7a3b0685c6ace73340231faeb039d6f26408b7fab77461
-
SSDEEP
98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw48:RyeU11Rvqmu8TWKnF6N/1wB
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
23ff6ba14d3b8f4e26b767c0e34e371c9c3ebbd812a6ffcdda48d83582c2d591.exe
-
Size
771KB
-
MD5
949facd81347ec29747c2adfa6bb23e1
-
SHA1
2d223fc2e830ea101e18306a06edb1f9b0b4a637
-
SHA256
23ff6ba14d3b8f4e26b767c0e34e371c9c3ebbd812a6ffcdda48d83582c2d591
-
SHA512
6dffa3be76f6b2fae9a8da26d392c4a7754e023bd8da993a45944da977e4b637abbf979cf10a9878d2867f2d0b4f1ff6c488671a45d64006b82dfcb348becfeb
-
SSDEEP
6144:ntT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKq:h6u7+487IFjvelQypyfy7cnKq
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
241c1d05adf291569126403b9a0e97c1c0beebbf68a5a4c9c6dad1a9f2f7a347.exe
-
Size
954KB
-
MD5
8e28a9dbca7a77cbe2d5d291da602d47
-
SHA1
22863bec1dc0a03b07c963f1b451cca9a1a3afd4
-
SHA256
241c1d05adf291569126403b9a0e97c1c0beebbf68a5a4c9c6dad1a9f2f7a347
-
SHA512
df4c199824242535f6754b41093fd1cd98fae46c0d6f9fac9399a1ff91969e465a899e41156467b800238602fd271681a9e2a5250ba935a763013f092ddf96c1
-
SSDEEP
12288:6z7IFjvelQypyfy7z6u7+4DvbMUsIvOcf:6z0FfMz6TEbMUs8OC
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
243242e5813fdbd8135ecb71808ecb70acf43e6c2bbfa8a0c5132c1fab67adfc.exe
-
Size
620KB
-
MD5
a1181c8e68dacbf00d61def015cf9941
-
SHA1
9a800c404c8b9c64a53340a82c145b4b3eee0e2b
-
SHA256
243242e5813fdbd8135ecb71808ecb70acf43e6c2bbfa8a0c5132c1fab67adfc
-
SHA512
c0d18578d1ca9f19856d5e6ca2b153d08e293200c76c26b71c1703aed020fe9008c43439a7a0870dad08f74aad98fe9e4163b8d009fd162fe704e1cd54bba0b3
-
SSDEEP
6144:uTAPGhnEZDTve6VlWT8b9cKKFuo0z86JqrbLUpeVCULsSIwdMlh7:MAOVE5PVle8L1qrTVlI
Score1/10 -
-
-
Target
24333d13e7b86f4e510460d2dd15aec988c73187602e961b434f12ee69f8e2f5.exe
-
Size
867KB
-
MD5
89cb35f716c4b65d8fb1118795c20b07
-
SHA1
abf03fa78a97a1787bed6361d6ea862f3ed15221
-
SHA256
24333d13e7b86f4e510460d2dd15aec988c73187602e961b434f12ee69f8e2f5
-
SHA512
bb1b3104c3f28d863a5c984e19e747e73e57ff71febbfb758b25e4b89227e19fed199b979e020bce1019f47bd6d5f7aa77e8b52ad66db4d3b18a2d260652d395
-
SSDEEP
12288:Hp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRzwAY3A7:HpugRNJI1D39dlfGQrFUxwAeA7
-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
6Credentials In Files
5Credentials in Registry
1