General
-
Target
932ca48307370d1019ade8c5f9312d6f96f7d565715f48f4a4c35a045702cef2
-
Size
230KB
-
Sample
220521-ph3dcsaehp
-
MD5
5ba8b1ee47b934c42ff521dc3c47da79
-
SHA1
0a23493703fc700e6893c2348fa9bb155ab5ccee
-
SHA256
932ca48307370d1019ade8c5f9312d6f96f7d565715f48f4a4c35a045702cef2
-
SHA512
e0eac8e143399d1413f8e29274e35e16c49b64a00e96eeafaa822ecf00897427227ba45e194b0af4c7cff298c943d06ff5d8e3b1efa247374c3ccea54eef38be
Static task
static1
Behavioral task
behavioral1
Sample
RFQ TRQ22-06-20200051_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ TRQ22-06-20200051_pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
2.5.1 Pro
xxxxxxxxxxxx
109.169.89.116:2021
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
s.sex
-
keylog_flag
false
-
keylog_folder
ssssss
-
keylog_path
%UserProfile%
-
mouse_option
false
-
mutex
fuckhere-M9W1LK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
RFQ TRQ22-06-20200051_pdf.exe
-
Size
315KB
-
MD5
154aa4440eee43b6472416eeb938f9e8
-
SHA1
643b61955b6743f33db01be7ecf93463fd887da1
-
SHA256
d69aa1932b2e702e5065ee19da9fc9cf2b05e7dbaa617141b14eaa501a14955e
-
SHA512
2a225d7128166394a26e226febd275f1ca1dead61666136008ff843b4a21eb0bf16a5b66c055a2d213d272d63c940d2cce02270475c9bb2551135a58cff77020
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-