General
-
Target
TRN-97366461563688738_CIF_00077637283651296368_doc.bin.zip
-
Size
486KB
-
Sample
220613-p3fp4acdh7
-
MD5
1180ccd2189be290de22af2c69a579ce
-
SHA1
9d1d41bea914cf9c267a379a2e16863bcffd1646
-
SHA256
9962349253d26898c5c7a6263ef88a378d603f8e9bfaf4651dd44f7f27bdfcb6
-
SHA512
7fa6076152c5529645caa92c642efab1a8c0935194f54ae2bfb130ee2fe235f17c17527714751237b7929cd4111834a4c21e91fabbc716f42b50202b33dcaa13
Static task
static1
Behavioral task
behavioral1
Sample
TRN-97366461563688738_CIF_00077637283651296368_doc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
TRN-97366461563688738_CIF_00077637283651296368_doc.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
remcos
RemoteHost
172.94.127.61:5888
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-V4JCDL
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Targets
-
-
Target
TRN-97366461563688738_CIF_00077637283651296368_doc.bin
-
Size
538KB
-
MD5
71c04c5d339db01981ea6896784ab4af
-
SHA1
c9a8e3ad849f7e146e8d33008df1eba0a367aa96
-
SHA256
b884f8567f4e5056c3d4b58869a277830c40658f89ec5fa1e696c2e78620d9a0
-
SHA512
b4c1425f40757da86175a9c4f4462619ce4118ccc6e81eedd6218091ec666a60e15dfd434f7e1330993ca0b722c3e7346e8f845901eb55de2680e74637a42209
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-