General
-
Target
fa65633c1499e432ebb65631a87c4b0fc225f74468e6369b9c119406bed32cd5
-
Size
376KB
-
Sample
220521-bln39acag5
-
MD5
f994f9c3fd5b24f14d1c8779d4cc170f
-
SHA1
288784754ce2f3e8691228673619103d19ef9aa2
-
SHA256
fa65633c1499e432ebb65631a87c4b0fc225f74468e6369b9c119406bed32cd5
-
SHA512
db187019cfb87ef3d00bf155420e85b82cbec97c57ab951c4f7ff2c33a7e2c4b103edfc38cd56170a5e43995a1f5b24ffd915a4b427c98305adf3b6fa18abd4a
Static task
static1
Behavioral task
behavioral1
Sample
Drawings 86565278254-CP20202705,pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
remcos
2.5.0 Pro
FROM JAH
newdawn4me.ddns.net:7213
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-4F6INU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
Drawings 86565278254-CP20202705,pdf.exe
-
Size
314KB
-
MD5
4ee009b6aa38a721c2d0b3820e0a1a18
-
SHA1
24dd9a3896a3af768b31f3224584e50757013536
-
SHA256
45b6db1de3c17ed66daa45bd11b1b2b1001a0060fab695635f1cec62400f007d
-
SHA512
4f750b0cd349ab46b9618f8a3145b6b44e75f11c11f8a3f72b8626d531beb834f6726ab1a14157790c06c2fc24015baf4f46e1bcb17870edffde4010869bcfda
Score10/10-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-