General
-
Target
17bbd72cdcf2d447e99f6aefa6c87687aa30b20cd3d18d413568872cac5f59e5
-
Size
1.2MB
-
Sample
220521-pcw96aacck
-
MD5
5d6fb67a92fef036e1e739df2698ce70
-
SHA1
56283020bc452783ee68997b6c67592e447a79a0
-
SHA256
17bbd72cdcf2d447e99f6aefa6c87687aa30b20cd3d18d413568872cac5f59e5
-
SHA512
5bbc6afc4cb28d9c9e344bef60d61844a8dc58bf61b175408b9c8eda8b50559a8347808444412acc5c4b0b7c8482d1abd791635d658e0565b89b662c1cbc6894
Static task
static1
Behavioral task
behavioral1
Sample
75720_IN.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
75720_IN.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
2.5.1 Pro
RemoteHost
john777.ddns.net:6640
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
ooooooooooooooo-FZRZ60
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
75720_IN.EXE
-
Size
465KB
-
MD5
c37b2befe2b64b740624f049bb008418
-
SHA1
8e4c73accd4610cca66ff696a2a53ce861a2b44b
-
SHA256
340893d3759388ad045a1cb3f2a0d16f668974d227f8742ade77267e5dea32e8
-
SHA512
b7caa56d276cef443f8983ab2ef3b56e076604a869632287f9bf8a5464c76aa894b5353ce53bc9e4105b31380a790a791adb01fd9f557c6b78370ab02121d828
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-