General
-
Target
eeb372866b2f0cf0aef6158442868f75ba272b57fcd8a9de5d05f9fe93bc00c7
-
Size
177KB
-
Sample
220521-ngzemsghbj
-
MD5
ff7b7b13f645859595b1808715b9b02e
-
SHA1
18852053c94f5ef13cd71e5afb6831dd2780a3bc
-
SHA256
eeb372866b2f0cf0aef6158442868f75ba272b57fcd8a9de5d05f9fe93bc00c7
-
SHA512
2e5f9714172b5a692052de587f2006c42638838283f01d0750c02d55b4ec10846986085cf23b9f296404c148575a392f653dfbe58a01400e904b9943f13b2af3
Static task
static1
Behavioral task
behavioral1
Sample
PO 186603, PO 18582.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO 186603, PO 18582.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
1.7 Pro
Host
omari12.duckdns.org:9046
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_ooesociikieaxms
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Targets
-
-
Target
PO 186603, PO 18582.exe
-
Size
232KB
-
MD5
2dfe76a3750a1e91f198902086d81249
-
SHA1
012cc21f1410e324533d1a883bbd60d4abe3059c
-
SHA256
3ce66a4e58b435bcd38a1272823e97f7beac54d679ff0af1224187f032360e87
-
SHA512
717031cd3c1590d5ea645964349df99786e3e81b12f6cf23812db50eb1ea6df7a3ec65495c1b5e08f8338563384812c6e1a8594ec15a9dac21ca847520eb020d
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-