General
-
Target
6b52e8518788ffaa4883e8f310926bc7cdd9932ccffe1f31d54dbd10fc74a18e
-
Size
235KB
-
Sample
220521-n6t68aega4
-
MD5
97539ffc9ad473ceb085cc342e6060ce
-
SHA1
543598ce3abbc794c317cdf9038a09d4dab3674a
-
SHA256
6b52e8518788ffaa4883e8f310926bc7cdd9932ccffe1f31d54dbd10fc74a18e
-
SHA512
d24f1e90c3ff830a65108c0615ee3826ace0365d307169ff63e33ccbe48ee564f8b4550b19dce4f6c1ee00850ee732c7c7a99db31d87e60b4abcc0c2325a0380
Malware Config
Extracted
remcos
2.5.1 Pro
ZonaBancos1
recuperaciondecartera.website:6790
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
PXServiceNet.exe
-
copy_folder
System32
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
xlogs9.dat
-
keylog_flag
false
-
keylog_folder
Runtime5
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos-WMUCYW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
MServices
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
Adjunto_Extracto_4523850339306068761894266441737657784_92344804604222287843581859556495_849221692036554261519_8167613218_pdf.exe
-
Size
417KB
-
MD5
270c91e8e67e7466cc5c3ae37a90c4d5
-
SHA1
2c6b11dde610816886f4e5f0b64623b81a71ce0a
-
SHA256
c4282456cd93b45d7094b6b476079671781363ea67a9726a04704eee7391c627
-
SHA512
5ba608e7012516aa404c1708d4e071505aa6f7264b66f2b9995aecfc1af1f301275df6f31929536ea27b16746b01dad5970f642e65649a90e94cc357362d8234
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-