General
-
Target
PI#443536_Clvginpxlcltmugbbdjzhthnvqtewvwkrs_Signed_.exe
-
Size
705KB
-
Sample
210806-fjmx5nj7zj
-
MD5
e312632ef9548565eabc682af0fbc369
-
SHA1
7c707c2f0600729e9954d3f2ed102643cfeb108a
-
SHA256
e982ae5ea3e7d8b92372076442bd0f96a572d974a2265c609a0cc5e4b4eac9cb
-
SHA512
0b832d2c8f263e28d2d9c7407bb756e29ebec224529cfea9b0f5b4baabf40cfd793df5c2d6fd0123523d8f0af456448648e1b129071e94464e4d0102e024cc55
Static task
static1
Behavioral task
behavioral1
Sample
PI#443536_Clvginpxlcltmugbbdjzhthnvqtewvwkrs_Signed_.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PI#443536_Clvginpxlcltmugbbdjzhthnvqtewvwkrs_Signed_.exe
Resource
win10v20210410
Malware Config
Extracted
remcos
3.1.5 Pro
auggg
185.157.162.100:49151
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-TKSX4X
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
PI#443536_Clvginpxlcltmugbbdjzhthnvqtewvwkrs_Signed_.exe
-
Size
705KB
-
MD5
e312632ef9548565eabc682af0fbc369
-
SHA1
7c707c2f0600729e9954d3f2ed102643cfeb108a
-
SHA256
e982ae5ea3e7d8b92372076442bd0f96a572d974a2265c609a0cc5e4b4eac9cb
-
SHA512
0b832d2c8f263e28d2d9c7407bb756e29ebec224529cfea9b0f5b4baabf40cfd793df5c2d6fd0123523d8f0af456448648e1b129071e94464e4d0102e024cc55
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
-
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-