General
-
Target
5070613049933824.zip
-
Size
365KB
-
Sample
210913-amjz9acff9
-
MD5
52b954d797baff10100536784f2c18ce
-
SHA1
bdb1209d047d001de4deaf84532ea9083df79986
-
SHA256
c619b31da488ea8ff37ff4a97d5c7960c0dfa542bbb77115f34f64d577db8e46
-
SHA512
0de2eb2ed40facec50210f4bbe9c3eeeaf003b3a4c814c8a228b6f951f9e9e41e48b1a7fee37d1bc3202819af000b5e86942ac02dc48668e379002c6459f5918
Malware Config
Extracted
remcos
2.7.2 Pro
RemoteHost
style.ptbagasps.co.id:42020
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
microsoftwndddows98
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
microsoftwndddows98-Q8G3TQ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
DOCS-0032.exe
-
Size
850KB
-
MD5
b1a8ca856942150e7c683468b1298de2
-
SHA1
8a73fd22fa4d922ad008f6e9f903fd65895d26dc
-
SHA256
0957b28cb0ee2e127c7648eb7bc99eb8d271bb3523a5c8cd5f4d5e7840cc5ca9
-
SHA512
4af930c87bc091b1f8f814864b86a43f1f05406ef70fb8dc56bc4d7580f34e9f5b32f4fd09608a65c0211e73f938877311e7620dcd6b8261446b581c6fe69f7b
Score10/10-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-