General
-
Target
0dc4b40e172511950b2dbfc92eda71029f090c1f8ddbbe89921f5c49ee92f59d
-
Size
835KB
-
Sample
220521-w11e2seacl
-
MD5
fd65ad955ceb50ef41e385c88d751dc8
-
SHA1
b31c56045109fafabe403537e60647361a8ab4ca
-
SHA256
0dc4b40e172511950b2dbfc92eda71029f090c1f8ddbbe89921f5c49ee92f59d
-
SHA512
82666b25382206715d13f83c40a05ef9006f94b8db7f27463aac8e24f40cf579c3345b668db1339b7cc796107fe5091129437478e2c660471d9c5a4ee768df3a
Static task
static1
Behavioral task
behavioral1
Sample
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
2.5.1 Pro
AUGUST-BLESS-ME
officer170.webredirect.org:2404
chidera12345.ddns.net:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-T7VXCL
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
-
Size
969KB
-
MD5
6a8addc2fd26cab55567eba884e377d5
-
SHA1
2fba0e16b023e47ff5c866325c5208a2d49f9da2
-
SHA256
86c92d4b2244153a1f601168307d0c60f413631574d9c0ed3fe4c6fa890d6c26
-
SHA512
024fc7aafc4ce64f0ddeefc0351fc0684fc9eb0a0d38f1b07152b19397da10edc5d0f99ffadb0632fc89d145ea872751ae10762f667d893fa26ed0dd223adb4a
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-