General
-
Target
3c7ec3973570a16645402ec5072e88dfcca455bfd72464aa8b8d5e21b4c8b3ef
-
Size
359KB
-
Sample
220703-h37egscbe3
-
MD5
c47a488c2856c937f8fe7ff9ddf1c52d
-
SHA1
2df156748ccf95c71b60c304dd6dbe993fb5ffc8
-
SHA256
3c7ec3973570a16645402ec5072e88dfcca455bfd72464aa8b8d5e21b4c8b3ef
-
SHA512
6afdc5d137552f5a2ac474d2c9d6d3c77d45b98353f0942da13b94d9f3d65adefbb0e42194762ab1d02673640c2af088ea8bc4b2e563d2cb77330bc12a699a94
Static task
static1
Behavioral task
behavioral1
Sample
Bank details.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Bank details.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Revised final Invoice.exe
Resource
win7-20220414-en
Malware Config
Extracted
remcos
1.9.2 Pro
Host
shangri027.ddns.net:200
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
Remcos-8ZV01V
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
Bank details.exe
-
Size
198KB
-
MD5
051a5f7670ccc0263258af88e3aecc97
-
SHA1
ff040dbc93f6985fb1703bf372e6cd03ce9b46ad
-
SHA256
e28fb6da315f75befba83ea2b6585968bfcff60104e637cb84ed63a0593ac794
-
SHA512
329f3c71297a3ccef638bb0709e4f18f94ca1d46deafb4c382544aa2a1935d187e1aefd355380c58518cdcadb92735c86ae1d5e0ae534c6fa27ff2235bfbf276
Score10/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
Revised final Invoice.exe
-
Size
270KB
-
MD5
b2acd0870dcd7dd14d0cc51e67ac5e87
-
SHA1
a778a06ebb3e57d1bf58c8b7cddda76bb1bde50d
-
SHA256
60d06cc7ffb33c86581b085d380efcd6670f2b0bd8e70ffbf8cf48473057670e
-
SHA512
6c5cb813945e03e4229bb1da9c4b5f0b08272b04a0962377ec0461382bdb6a6870672675a157bf128af406c31c982ac21bc7d563ef3663dc01305f1f99edab1d
-
Modifies firewall policy service
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-