General
-
Target
0ffc737f786def0d033fdfaaf20cdbc52ffc367d50b607b8cc89e62735b480df
-
Size
1.2MB
-
Sample
220521-d12zrsgfe4
-
MD5
073fd739c27265f496ce4843e0d8857f
-
SHA1
08a00eea38fb9fcbd1fbf70c3284928ee3f5efb7
-
SHA256
0ffc737f786def0d033fdfaaf20cdbc52ffc367d50b607b8cc89e62735b480df
-
SHA512
df279e24a80fbd44a3f69006d417a77693215a5b63d86712f7010ddaa826a966e7d5e0d205c5acb9642bfb980f1f25df3ab8b3b339da4aa7fe67d6ccfc97a1bf
Malware Config
Extracted
remcos
2.5.0 Pro
RemoteHost
79.134.225.118:6667
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-RNAWV7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
PU1_0003.EXE
-
Size
211KB
-
MD5
4095b251cf47277508875a9e3d4c5d48
-
SHA1
4e9816359ba41c964ee8673f3568ec4ae7170c3a
-
SHA256
1ed676d7b5902ae99362fbbbd80e7dd2b9cb9c479d9b9a8736f30829e7fe4176
-
SHA512
72c5b9c1ec235ab8e97bfbc494cd32764f7d79554bdb87af550c7ed6f4a85660f993d4938ebb7fa9ef1d5cf804b62a518331daa6dd848e5d9eee30dfd9089f78
Score10/10-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-