General
-
Target
HBL+BL SHIPPING DOCUMENTS.zip
-
Size
703KB
-
Sample
211021-gxledshhe5
-
MD5
42c17b5d07a9058bb911082f1ace9a76
-
SHA1
35990a2f74c95232881ec23e1163ad0e88318823
-
SHA256
9fca9b35737fe01eb61384f3983adc3d49fc2bdd51e677bea1ac57973b8e86c0
-
SHA512
2673b26af0a9c12c4db5f4bb1cd1d1a191d69edc9dcce2e530ed224dc7cfddbfdfc678a0b32cdb14ba80801dc01d3b614eb245dcc7dd81f917dd8977ade45007
Malware Config
Extracted
remcos
3.3.0 Pro
RemoteHost
172.94.88.26:3033
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-LNYWHZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
HBL+BL SHIPPING DOCUMENTS.exe
-
Size
814KB
-
MD5
baea8f92a509da346b2785803537713d
-
SHA1
35ec1fce1fd39a8fad37e88ccb25c859fc21b297
-
SHA256
f8e75ae7b73058c83d8e49afd902e29dbd5dc808017d7ec736a8f1aa0ad88c51
-
SHA512
ecc34f5cc2f8e79096a44ec235dccc2fb3f7e0e280553be51d5d2397d7c24ad2dc8ca899da6db6ea70e60fee280302fcf317efacc14603a277f642f79b0b79f1
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-