General
-
Target
60d06cc7ffb33c86581b085d380efcd6670f2b0bd8e70ffbf8cf48473057670e
-
Size
270KB
-
Sample
220703-h364qacbe2
-
MD5
b2acd0870dcd7dd14d0cc51e67ac5e87
-
SHA1
a778a06ebb3e57d1bf58c8b7cddda76bb1bde50d
-
SHA256
60d06cc7ffb33c86581b085d380efcd6670f2b0bd8e70ffbf8cf48473057670e
-
SHA512
6c5cb813945e03e4229bb1da9c4b5f0b08272b04a0962377ec0461382bdb6a6870672675a157bf128af406c31c982ac21bc7d563ef3663dc01305f1f99edab1d
Static task
static1
Behavioral task
behavioral1
Sample
60d06cc7ffb33c86581b085d380efcd6670f2b0bd8e70ffbf8cf48473057670e.exe
Resource
win7-20220414-en
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
remcos
1.9.2 Pro
Host
shangri027.ddns.net:200
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
Remcos-8ZV01V
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Targets
-
-
Target
60d06cc7ffb33c86581b085d380efcd6670f2b0bd8e70ffbf8cf48473057670e
-
Size
270KB
-
MD5
b2acd0870dcd7dd14d0cc51e67ac5e87
-
SHA1
a778a06ebb3e57d1bf58c8b7cddda76bb1bde50d
-
SHA256
60d06cc7ffb33c86581b085d380efcd6670f2b0bd8e70ffbf8cf48473057670e
-
SHA512
6c5cb813945e03e4229bb1da9c4b5f0b08272b04a0962377ec0461382bdb6a6870672675a157bf128af406c31c982ac21bc7d563ef3663dc01305f1f99edab1d
-
Modifies firewall policy service
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of SetThreadContext
-