General
-
Target
Offer ZI-0428.doc
-
Size
293KB
-
Sample
240701-pvt8hssbpd
-
MD5
dde9d7d091ac0cc1d35515d259d8ca6f
-
SHA1
c6e943143771fc3fd7c2c548f5fddcd6013d9302
-
SHA256
95be57795b850e5aa098c80a107bafdb581da7653d9b57b8f2d37b89880de224
-
SHA512
04f282c1b0333925454b7ab1c461c4ae395b0b8148bc6d51fd36368db2dc187daa6d273177d4ad15b50ede52bacf6271062dab70d45b871c8f805a8083844995
-
SSDEEP
6144:4GuqGuqGuqGuqGuqGuqGuqGuqGuqGu9tNcTr:4
Static task
static1
Behavioral task
behavioral1
Sample
Offer ZI-0428.rtf
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Offer ZI-0428.rtf
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Offer ZI-0428.rtf
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
Offer ZI-0428.rtf
Resource
win11-20240508-en
Malware Config
Extracted
remcos
sPITTT
antfly50.sytes.net:1980
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-BW3KDF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Offer ZI-0428.doc
-
Size
293KB
-
MD5
dde9d7d091ac0cc1d35515d259d8ca6f
-
SHA1
c6e943143771fc3fd7c2c548f5fddcd6013d9302
-
SHA256
95be57795b850e5aa098c80a107bafdb581da7653d9b57b8f2d37b89880de224
-
SHA512
04f282c1b0333925454b7ab1c461c4ae395b0b8148bc6d51fd36368db2dc187daa6d273177d4ad15b50ede52bacf6271062dab70d45b871c8f805a8083844995
-
SSDEEP
6144:4GuqGuqGuqGuqGuqGuqGuqGuqGuqGu9tNcTr:4
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-