General
-
Target
CONFIRM ORDER_O452-11189H6U77,pdf.exe
-
Size
743KB
-
Sample
210423-84q8j8v4t2
-
MD5
a10b06acd92325678e2b960544c9257f
-
SHA1
754dfa9962325d7ad6676779bafcd8b5e18d6978
-
SHA256
6ce1eb96c697ce276022f1a14fe7da73f910487fcfb384d676b28aa55f0c05ca
-
SHA512
8fef2e063e121fdf49f2d1fedb35aa6bd17fcf15e775f2460d473f13783e9e9f256765c3da6b7aa8334dd096d69c6b5774ba1ee7f703f6e07a4acaabdcc0a249
Malware Config
Extracted
remcos
goddywin.freedynamicdns.net:6712
Targets
-
-
Target
CONFIRM ORDER_O452-11189H6U77,pdf.exe
-
Size
743KB
-
MD5
a10b06acd92325678e2b960544c9257f
-
SHA1
754dfa9962325d7ad6676779bafcd8b5e18d6978
-
SHA256
6ce1eb96c697ce276022f1a14fe7da73f910487fcfb384d676b28aa55f0c05ca
-
SHA512
8fef2e063e121fdf49f2d1fedb35aa6bd17fcf15e775f2460d473f13783e9e9f256765c3da6b7aa8334dd096d69c6b5774ba1ee7f703f6e07a4acaabdcc0a249
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Uses the VBS compiler for execution
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-