General
-
Target
91b4c720f1aab6ec16c72f685e984b0342876ee5e09b593b4bcc6ad2461fd560
-
Size
456KB
-
Sample
220521-panj8sabcj
-
MD5
9c66c449f255e8e3f5f73c88576d80b1
-
SHA1
7e44cd8ecf422d63b659d3a891c387e80dd7ac45
-
SHA256
91b4c720f1aab6ec16c72f685e984b0342876ee5e09b593b4bcc6ad2461fd560
-
SHA512
4573d9f17fa423462e05f462e85f0a03b9321277442aeb4a454a41a7f97cd7ec26da824ca20147585bd755326bc261fbd4e2d3fe6c680c1086608a4e5396fbf9
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Haziran 21052020,pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
remcos
2.5.0 Pro
FROM JAH
newdawn4me.ddns.net:7213
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-4F6INU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
Proforma Haziran 21052020,pdf.exe
-
Size
395KB
-
MD5
e8880257995f8f870b97aa0e6395c6fd
-
SHA1
134c29a50676ce8472ec8b978e056d6444ebaa16
-
SHA256
0f2679baa996e2944996f4162bfb2beeaff492e1e15a844fc9b66f60d3411793
-
SHA512
b2e689b15e1c6079a597c5360b4a30b3527138870456b1f4fe927fb386c6a5e4929c7d96445f97f03d73f4c9559d7bdd0367defc077a225a2faff86a26ea1b70
Score10/10-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-