General
-
Target
2315e9ea4b02a18e75f5c6c3f6228dd04d9fddeb27d229aa55345875a2430518
-
Size
460KB
-
Sample
220521-pcqsdaacbp
-
MD5
c97d58c8dcb5572e7231b42f91413cb9
-
SHA1
bddb515fa6059039ff221fbbd9089618a5fca010
-
SHA256
2315e9ea4b02a18e75f5c6c3f6228dd04d9fddeb27d229aa55345875a2430518
-
SHA512
9c12dda7e8b58c2ffee2b1e7a6868f4c97949f8405fa580068124290d7966b580536ca808a6c8ca33b9f037e3aafc2e3ad3d32668b42292f2975fab5cf20dbb8
Static task
static1
Behavioral task
behavioral1
Sample
配達確認書 PO#8018516,pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
remcos
2.5.0 Pro
SMASH B
goddywin.freedynamicdns.net:5252
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-PLP378
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
配達確認書 PO#8018516,pdf.exe
-
Size
398KB
-
MD5
b12a52f0dbe23e563edd4793d001f8fd
-
SHA1
5c7b8ceab6ec73c6ae951b4e01426d24a421fa04
-
SHA256
a3b3bbce36f3c381e04a1a086d9ad58f31563d8f106bb1a6732cf2799ee645e0
-
SHA512
f76ec5f22602bf37e748c43a870de8762de294a6fbb861175875979ca16349f97de7b6a2fd2e6b2664d7fc16e1a485a617cce3ba8192d88f1f5cd6c9a11178aa
Score10/10-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-