General
-
Target
2c034ecfc5b98443264c65be7296caba84ddc9a39f11f3a7ad33c8f706f4aecc
-
Size
444KB
-
Sample
220521-n7hvksegc6
-
MD5
625149e105911e048005cce375a17def
-
SHA1
4209674359af141a775475a4256175aa7d1389a9
-
SHA256
2c034ecfc5b98443264c65be7296caba84ddc9a39f11f3a7ad33c8f706f4aecc
-
SHA512
82c1259504a1569147fbe64b7cce65773ff8840c3cb9bd2fb7c9216c38ce38875e23ccff836b04ac1caeb5edb132336400476364625b59aa896f1efaf68badd6
Static task
static1
Behavioral task
behavioral1
Sample
DHL_414568539649 receipt document,pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DHL_414568539649 receipt document,pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
2.5.1 Pro
JJJJJJJJJJJJJJJJJJ
nagod.ddns.net:8811
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-W2HT1J
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
DHL_414568539649 receipt document,pdf.exe
-
Size
384KB
-
MD5
42938883cc03a62def0e0a3616804fa1
-
SHA1
a84de1e45ba676302061947b6b225ca7874dab08
-
SHA256
d3146b1c0e38f200abfdd2439db31b3cc5271d320495015d68ea2fab35e6ed14
-
SHA512
87e87fa9a7ccfe35bd338cb15ee73f777b914410e86b04d3cae221db65c0e0e2e8969618fe9840ad4f595b7660d75432c53f912559269005e5be3842846c2720
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-