General
-
Target
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729
-
Size
1.6MB
-
Sample
220121-3r77vsddh2
-
MD5
983199bbc9855444da45fd3470542c93
-
SHA1
6358b2bf1dc6e8aff646ad6ab919be865fa19870
-
SHA256
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729
-
SHA512
9d48594222420487bc7a8d0e888806edbd5bac819669504d2a854912d403b22fb761f0e4e0a220412e2a18165ee8d20afe4fa21bea6f73a908428a2116557684
Static task
static1
Behavioral task
behavioral1
Sample
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
Resource
win7-en-20211208
Malware Config
Extracted
remcos
Ene20
amsdkjeduejfhdgerop.duckdns.org:2223
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
AdminShell
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
NQUjfd3E3e5dje-JHD8X5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729
-
Size
1.6MB
-
MD5
983199bbc9855444da45fd3470542c93
-
SHA1
6358b2bf1dc6e8aff646ad6ab919be865fa19870
-
SHA256
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729
-
SHA512
9d48594222420487bc7a8d0e888806edbd5bac819669504d2a854912d403b22fb761f0e4e0a220412e2a18165ee8d20afe4fa21bea6f73a908428a2116557684
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-