General
-
Target
76532391a65407a6758aac0ecd1556d648bec998270fc9de4aac52340fa4746c
-
Size
414KB
-
Sample
240626-xqx3lsycle
-
MD5
60a1e2c43014a7b6bdcbdca81c246482
-
SHA1
d3677f8b6f072a83c3c9858dc58d7ef9062772c5
-
SHA256
76532391a65407a6758aac0ecd1556d648bec998270fc9de4aac52340fa4746c
-
SHA512
7772ceb33a3179d9cad1b795156fa94dba2e6bef580f860dd663ecc8dfe010b78b863ea793e50f490d79ef02e6b2b9245e72dda67792956993fa145924c8c1cf
-
SSDEEP
12288:HDU5dlz/7Qcm54QVK6p61cQIlQPBnpqS21N5wRxt:jUZQx54QM6pV7cpqSy4h
Static task
static1
Behavioral task
behavioral1
Sample
contract copy amended JUNE 2024_PDF.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
contract copy amended JUNE 2024_PDF.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
contract copy amended JUNE 2024_PDF.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
remcos
RemoteHost
204.10.160.132:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-6UW0BP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
contract copy amended JUNE 2024_PDF.exe
-
Size
428KB
-
MD5
e6b91a52554e6adf43df0ffaa6b92d33
-
SHA1
4000722ce7f9445e068892b3ed80c9151f7e8a47
-
SHA256
0a7f62793ce40e99600c729a97d80c02b4f8c80d16c32f5edaa8a6eac48d416e
-
SHA512
ea228dea9d90b67ddcea115c181fd06f07385a3497adade0f957c539cf44327259d5a1a0e36b5abb333e1c29af359743011a02c5fc1adce2e4549409d8a95ff5
-
SSDEEP
12288:0JJz/7Ecm5WQVK69G14QIlQdBnVqS2xN9wR4:CxEx5WQM69z7QVqS4oG
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-