General
-
Target
602a23db79b166b648550c4c45246a3f2664d3bc4b1cc771bd51e6ee1df125f6
-
Size
193KB
-
Sample
220521-n7rsgsegd7
-
MD5
524e771510d93f2e6f425892dd181d34
-
SHA1
2f93a5cbe955168d6158a64d7397fb429d2a7b15
-
SHA256
602a23db79b166b648550c4c45246a3f2664d3bc4b1cc771bd51e6ee1df125f6
-
SHA512
2faff7216d222524b0ec9133f711417747d72d3e8034646b3e2bf6f7d9bfbc29b274a5efdec6738af0eded1141e782e9a34b7f83fde33aae2afacb32908a8d85
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation Export-DH772_24042020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Request for Quotation Export-DH772_24042020.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
2.5.0 Pro
RemoteHost
dolxxrem.hopto.org:3086
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-B3XNCF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
Request for Quotation Export-DH772_24042020.exe
-
Size
288KB
-
MD5
6188c89247429b47bf080fba75b26c5d
-
SHA1
cd1d1c1de2f841e41324667d069d228c538fe1cb
-
SHA256
cc7c88bb23e3dc2b7de49f259704692ff36fb9dd7b3c307710034229b263e0fc
-
SHA512
9290f0546b9942c5af81804e1f302cd7e696403ad2a3a32ef24c6dc1b649b55fae78e5581b283a0a59bbc7388dbf635387fd63f4f590893f16e4cc8099e716c8
Score10/10-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-