General
-
Target
e1f4be2ad6856e77fb023eb77c71a57ee1ac3cadbf34c129e2df1f6a6ad0cc98
-
Size
16KB
-
Sample
240703-jlkd3atcjc
-
MD5
2985bcd8a64877224530814bb8b9aac8
-
SHA1
281d3ea62ae8ab924a6e2ade7c15861bca38cdcc
-
SHA256
e1f4be2ad6856e77fb023eb77c71a57ee1ac3cadbf34c129e2df1f6a6ad0cc98
-
SHA512
3a5022fd1f17da23b9d8c549ba327d5c7dc3bbb5c8a58cca3e0b88c9e928afef95ec4d51cd6267c1e944e2fe304d278a1d9302ea1c41b1f17ce0bd9cd243cf30
-
SSDEEP
384:0F0JMWx+HTUOKn8jdBzr3MZj3IQ4e2nmPVBylQS:0F0JMWxsw8jvH3+jYQZ+mPyQS
Static task
static1
Behavioral task
behavioral1
Sample
Scan_20240702_1449041448298.vbs
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Scan_20240702_1449041448298.vbs
Resource
win10v2004-20240508-en
Malware Config
Extracted
remcos
RemoteHost
54lpnbz0xdwx.duckdns.org:3756
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-3EXTO9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Scan_20240702_1449041448298.vbs
-
Size
24KB
-
MD5
241fc9096c5621d50bc29ebbb4cb59d5
-
SHA1
89d48c32fb8cb242ca7d8d851c2b621db084af70
-
SHA256
0dcbd37265e4f424a54193e437d0966ba6b29439ec6511dc64379bb882d53b5a
-
SHA512
347d5fe11a3e3841c84e672c27521f5b849d0b7c6d52d873c507810b2da2ae3de37fc2263067a23f497e16eac61976f0dc52bbace51f28280c5cb9bbd62a1f66
-
SSDEEP
384:3EqYZLXhghQVoWc8OCgifcmAqS7gS9F2G5mzHICh:3EqIXhghQCWclC9tPxS3XuHIg
Score10/10-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-