General
-
Target
1a7facf191c33f3919788df0ffd1d4f8.zip
-
Size
953KB
-
Sample
220519-pbq2rafab9
-
MD5
a22a746fee0864af3e011cf846bdbe5e
-
SHA1
8e9fd96c236355eb01680992d0ac0fd36e5519cb
-
SHA256
dbabda1495d2b5098963228c01277cc90925c0e5ebd8e731b5760b818423cb3d
-
SHA512
ebe9387e16a2f69299064fad1a44645ef0381f08c0f2b0df93188c8e7fb717a459607707ef62513146d57839c3c5c4c547e907ea57254c8d37f47f51c36c244c
Malware Config
Extracted
remcos
3.3.2 Pro
dreamchaser
naninani11.ddns.net:7070
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
windows.exe
-
copy_folder
file
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-413F1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
CMR AND PACKINGLIST.exe
-
Size
1.1MB
-
MD5
04fb2ce6e058a87f0a13bbb214a427bf
-
SHA1
ae2199326c3fb6e541645820cfcbc3904dabb65d
-
SHA256
0591c0db7c2e5d407339e854e5c10adbd63c890c72e6709256829a2001b4f164
-
SHA512
09bbc925672a60aaf19ec3405ebe072896fd73f4fa65d6954d519129ed93637e0dfcd554bc42a9bf1306c36d0a8ea94f502af679155bf7eaf8d7e256e9f95dc0
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Detected potential entity reuse from brand microsoft.
-
Suspicious use of SetThreadContext
-