General
-
Target
d7d81b61089e2639cede68b6db324344cc092b4c6fe4d94f2ab55f2f2c6f838d
-
Size
1.2MB
-
Sample
220521-n5jn4ahgfk
-
MD5
e1b02ade82f2d4f9a58af0561a0a1ad5
-
SHA1
a879e14bd25d8a2c9a58fbf3fac02d2695b61e2d
-
SHA256
d7d81b61089e2639cede68b6db324344cc092b4c6fe4d94f2ab55f2f2c6f838d
-
SHA512
b6f7f26198bb1f25a7300117ba71aed9ce07bfae5208e672da7e0b8cdf2fb9b317048afc0e4e9ea49067e41a636cf4434a85bbdfa6fb0bca36d5132eeb515730
Malware Config
Extracted
remcos
2.5.0 Pro
nownow
172.111.200.225:8069
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-NU36GH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
URBAN_EQ.SCR
-
Size
248KB
-
MD5
d166e73c371e8e22142bb7fce0e34cb1
-
SHA1
f8a23d72e5d78bd18236e70f44a5fce0898b8f89
-
SHA256
0213b080d6e1188df027bebfc9d5fa07d0548168997536afd0471c29be4ce75c
-
SHA512
fb63a427733e853a752dd82bb7bcf93b6e7de036dc0d690ddb0534a89a27d921284828abd2c8afc7c3b7f8e6f4bae48239d13bcd66cd5231d5a834e353c9a888
Score10/10-
Modifies WinLogon for persistence
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-