General
-
Target
04fb2ce6e058a87f0a13bbb214a427bf.zip
-
Size
953KB
-
Sample
220519-pt6vxsabgm
-
MD5
3ef9924f1eeecbc63e166b5901c074fa
-
SHA1
11a1513eb74215daeac8be51831fbad32e5ed8fa
-
SHA256
6f15d411c1fadf4dbbd4b4ed757152e3811827c37daadd52bc165e52584d88ef
-
SHA512
f02d83b69a6b5527975405062632f71584d50973f784a1dae2e0e65ca1ed335e8fd83bce4b45b1c3a1013d22c562f483023aadda61d7c52974553cd390ab49c5
Static task
static1
Behavioral task
behavioral1
Sample
CMR AND PACKINGLIST.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
CMR AND PACKINGLIST.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
3.3.2 Pro
dreamchaser
naninani11.ddns.net:7070
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
windows.exe
-
copy_folder
file
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-413F1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
CMR AND PACKINGLIST.exe
-
Size
1.1MB
-
MD5
04fb2ce6e058a87f0a13bbb214a427bf
-
SHA1
ae2199326c3fb6e541645820cfcbc3904dabb65d
-
SHA256
0591c0db7c2e5d407339e854e5c10adbd63c890c72e6709256829a2001b4f164
-
SHA512
09bbc925672a60aaf19ec3405ebe072896fd73f4fa65d6954d519129ed93637e0dfcd554bc42a9bf1306c36d0a8ea94f502af679155bf7eaf8d7e256e9f95dc0
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-