General
-
Target
043e27ac7c100fee16f8f2de023db22f0ce03ead5b90cab6d6431a124355886a
-
Size
1.2MB
-
Sample
220521-n71qdsege4
-
MD5
4b720e3463ffee0b4222dfae541aa44f
-
SHA1
7d15e0979ad0c222fca59bddf0736bb50b9bbdbc
-
SHA256
043e27ac7c100fee16f8f2de023db22f0ce03ead5b90cab6d6431a124355886a
-
SHA512
943dacd9aaa5eac465a2d1d476cddd61ed8561c5045661ebb7945d56b0460171b10313c9bdf17a1f8459d20ae151c3a03900069dbed40ae33b5649d7e8d342a0
Malware Config
Extracted
remcos
2.5.0 Pro
RemoteHost
kenya8.duckdns.org:7722
ikorodu2.duckdns.org:7722
mypepsi22.duckdns.org:7722
mypepsi25.duckdns.org:7722
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-LOWNF5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
4GULS1DB.EXE
-
Size
446KB
-
MD5
8307d2b88f6fc1373da2cad7e7505df1
-
SHA1
99d924ca4a5cd63aa43da4fa22a7c12c425bceeb
-
SHA256
99288949625f49d5fce4c52083d100a232b1fbec563aefa39843f564cc71190b
-
SHA512
7ccf0978b22d801bc755767fcfa94f5702cb99271f67ce5e50caf0ef096336d7c2330fe41002e3537feec368f183383ce5a842a70b0268e22ee996e95df8d973
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Windows security modification
-
Suspicious use of SetThreadContext
-