General
-
Target
122a58361a75a38bc40611f0ccad9c745ab7e2a9463c4f5e89a13dd63116f6dd
-
Size
357KB
-
Sample
220521-dz75dsgfc2
-
MD5
5906b93aebdad5febb3fa5128391ff5a
-
SHA1
5e596d29c858c80e361d63f6e7c532d97affad7d
-
SHA256
122a58361a75a38bc40611f0ccad9c745ab7e2a9463c4f5e89a13dd63116f6dd
-
SHA512
6cd8fa37e888df2d052c4e3ce08844918f5bf8738410046577267b134f352692f665c58065fedc23558da8194b384cbc818d0b6ee5085cc577ca97fd22de55e8
Behavioral task
behavioral1
Sample
3REM-ULTITEC-865hkk-PROTECTIVE-PPErvGiVBzqbBf9Br.exe
Resource
win7-20220414-en
Malware Config
Extracted
remcos
1.7 Pro
Host
185.165.153.215:6608
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_pfarwitquv
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Targets
-
-
Target
3REM-ULTITEC-865hkk-PROTECTIVE-PPErvGiVBzqbBf9Br.exe
-
Size
466KB
-
MD5
26791ff2139c7eef1328963dd38d4bc9
-
SHA1
9b3beb6c2aa6e621b3d2a9e9c985a66dcd214dfe
-
SHA256
e9405efd2e392e4732172009d420567b63b2ed3eb1ad51d9a0539eefaf620030
-
SHA512
deb446977a0dab965406529b2ef1fc1fcc198e4dd3a20fedb8f60419a7d64a181e6ea586ed27eebc4fc69bd757c06f674713d6733a46bd92b83073cfc5138f44
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-