General
-
Target
Shipment Document BL,INV and packing list.jpg.ace
-
Size
723KB
-
Sample
220513-halx3sfhck
-
MD5
f4cdbe7c700b93b204b5aa0f1c38ec5d
-
SHA1
9c84371a73f61f05ef322a18a380877a73c847bf
-
SHA256
3f62a232dcf82e5678614dafedd81b8663ccc2e7fb556ba2bcf04dddb1115369
-
SHA512
ff6c22dffd1d63bf2f9badaa02820af1cefa2eccb5602d84b71a2e32b280059d6fdf05d2ac1b22d38209867d869519f007bcc833e10b4a8352932b2055be500c
Static task
static1
Behavioral task
behavioral1
Sample
Shipment Document BL,INV and packing list.jpg.exe
Resource
win7-20220414-en
Malware Config
Extracted
remcos
1.7 Pro
Host
194.5.97.32:5890
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_oqkhxjzletgovfx
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Targets
-
-
Target
Shipment Document BL,INV and packing list.jpg.exe
-
Size
1.6MB
-
MD5
672cc6ba8db2c80b6e0b8bfbd94f5eb0
-
SHA1
7d0dcda440b2ad736514c27f3b445ae8e4ae6c38
-
SHA256
59c5657e3e6221b1066f4e39fc36625fd84566cad13702e1e159453e27b93f41
-
SHA512
cfff8f8e5f6f5549729ec3fa2082a9c26ba322b289b132a5cb17f1c3b9cd4f5c4d326c167d285c2364eb442fda72e3114245a8acfc89699ca92f9d03fe1237d2
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-