General
-
Target
Urgent Order (RefPO.35231_TTI).gz
-
Size
567KB
-
Sample
211021-d42s6safgj
-
MD5
6edfb1226a784a530e27e4ffffae3a36
-
SHA1
5d23ce0c28882fb6135be3049be9799ebb412016
-
SHA256
cf24e90d7806fad40a47bf7941496f2568fd992193bbd100ffeaaf2bf9bea681
-
SHA512
1274ab9c104548020740819e76112ae55c54f826b4106726144607ae3103e210dbb7456bc44784a8baa833443cd836a54cd750730f575a82294a045f0ae18339
Static task
static1
Behavioral task
behavioral1
Sample
Order copy.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Order copy.exe
Resource
win10-en-20210920
Malware Config
Extracted
remcos
RemoteHost
sabrinaoyst.ddns.net:7019
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-PACL2H
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Extracted
remcos
3.3.0 Pro
RemoteHost
sabrinaoyst.ddns.net:7019
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-PACL2H
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
Order copy.exe
-
Size
963KB
-
MD5
4e85bccd3ffbc25142507fe1883f2eda
-
SHA1
634ca94d2f19b7784bf2de78657c7d927b21b52a
-
SHA256
14dac7b193364d4c9d85f2cb2c1fa88683e8fffece0a499c90e49eca08a85e9d
-
SHA512
1704cc8c9219323d455d5611ccaaf6a6103eda3a886dc17101b2a41de3db8064374640f29876f24e5322042d25c0f53c1051002f367d1ec027ce7ba5badf1774
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-