General
-
Target
8295fc538990ba0e29ccee1344cfe5426a5132b65c45f9005706ce7f98c7a6d8
-
Size
239KB
-
Sample
220521-n6fzlahhaq
-
MD5
44214a8f94d40a8cfaa06ba194c23dc4
-
SHA1
1a56de75166dd1129ae1a7a7d3cd625d0fb1b77f
-
SHA256
8295fc538990ba0e29ccee1344cfe5426a5132b65c45f9005706ce7f98c7a6d8
-
SHA512
4176c80f21cfd353b8785af5062a3e1a34384a034b74f3eb54fbfbf305c0f3635850244190cbd05e1f6df0bcb604455ef672fab045a546b450ce5a83db2b0a64
Static task
static1
Behavioral task
behavioral1
Sample
Cobro Juridico_0269238974920802_5210818_018214297558997881904018_759752_5835240459117026008_2344621_118955780952_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Cobro Juridico_0269238974920802_5210818_018214297558997881904018_759752_5835240459117026008_2344621_118955780952_pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
2.5.1 Pro
ZonaBancos1
recuperaciondecartera.website:6790
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
PXServiceNet.exe
-
copy_folder
System32
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
xlogs9.dat
-
keylog_flag
false
-
keylog_folder
Runtime5
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos-WMUCYW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
MServices
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
Cobro Juridico_0269238974920802_5210818_018214297558997881904018_759752_5835240459117026008_2344621_118955780952_pdf.exe
-
Size
273KB
-
MD5
716d5468b4acda0549df7307b2db1500
-
SHA1
4c228a8b8d406e62ffe2827294c88d895a8663d4
-
SHA256
aa9608f32f753da933fc3d931a99fd1767b9970a5a95ac7ed01e11a51421f213
-
SHA512
beff5e1447b87d2792d6199bf9a464760761574f23a433962b18f2a967e9b84c953095cd77e846d29663653de50634758b9e08a79b9ed9653648dbe32343f174
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-