General
-
Target
f202562d4d4f3a85dc598cb890bf536b8755991a96ca493875d9c6a052ceebf5
-
Size
317KB
-
Sample
220521-n48ltsefc7
-
MD5
5ac67ed9ab26cc903dd787510f034bed
-
SHA1
be4c179e8fc36f279b60509f6aece5ac3e127859
-
SHA256
f202562d4d4f3a85dc598cb890bf536b8755991a96ca493875d9c6a052ceebf5
-
SHA512
99e9de70aff395881fa1577ab85c8f3548930279652f9c14cfd19e3f3826ebf92d6c7cf22e302f978d740f393f6a1b5db9e22005db2b797bce28a2922afc26b9
Static task
static1
Behavioral task
behavioral1
Sample
Factura_02114984084_55759752_187512177366350701_54150607_1078486337666513_45844851467_549481167_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Factura_02114984084_55759752_187512177366350701_54150607_1078486337666513_45844851467_549481167_pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
2.5.1 Pro
ZonaBancos1
recuperaciondecartera.website:6790
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
PXServiceNet.exe
-
copy_folder
System32
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
xlogs9.dat
-
keylog_flag
false
-
keylog_folder
Runtime5
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos-WMUCYW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
MServices
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
Factura_02114984084_55759752_187512177366350701_54150607_1078486337666513_45844851467_549481167_pdf.exe
-
Size
503KB
-
MD5
83cf74c53acc17de02a4ab1669e518cd
-
SHA1
27058288abce29de3c1745afc734cc6672c2559e
-
SHA256
82f0cf3abdd3fe182495f1c1fb239b778228d3f17115c4e49cb6622e3c993952
-
SHA512
c63c48dc657ed5a4c24f64ba9a3b0b9f6c4c650da3dc28422c0b7c74a8d619e30dde5194d9cf4ddc9b3c662d800d36f01076bbc1107b2e519d57b0dd2034f8f5
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-