General
-
Target
fedf48f06b6a18f6e5f5e0133578dd30f2d3cbc57836f5ab101ee949a30c4370
-
Size
260KB
-
Sample
220521-n43qkshgdp
-
MD5
84890b7704adac934cfd594a13c92335
-
SHA1
6bee6f8fa22187ebf31dd6403deae825dba3c8e1
-
SHA256
fedf48f06b6a18f6e5f5e0133578dd30f2d3cbc57836f5ab101ee949a30c4370
-
SHA512
b59452f395b26f347f1e79af6923f4f06b34fbf9a092c9c855758442c9416ad3ea78abdfe8b0834e7f29e63dc4a1e435d9f1b82dc4aa78357957213cb6941108
Static task
static1
Behavioral task
behavioral1
Sample
DHL_414568539649 receipt document,pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DHL_414568539649 receipt document,pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
2.5.1 Pro
RemoteHost
statesman.ddns.net:1960
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-M8QX83
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
DHL_414568539649 receipt document,pdf.exe
-
Size
200KB
-
MD5
3e1576998001a9ee38a8938296e57871
-
SHA1
a174a9889626eca4a6e57b8b2f16eccf0d8c7eee
-
SHA256
313e0fc6ca8c557646cf69f8f870b294ab97682596f443a8b18c107b2f2155cf
-
SHA512
0a76939de225e73f33640613fb61445476826ce45c49373c5fba529fce8cb9f87547b903a922fb6f240d537d42475aab2f3e7a19ed93a26ca195e8920c4905b2
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-