General
-
Target
93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c
-
Size
267KB
-
Sample
220712-psltcsadar
-
MD5
af36518f0a97d140dfcd5afbb9740d8a
-
SHA1
3b8c31dcf501d7e93bf6b3e5ffaf1638942cd47c
-
SHA256
93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c
-
SHA512
95cff48acc0e72127f096b0d66d97299433a9a13e4f322195754bd59cef689badf1ec7f447dc3dd25b36cfde665a05c7251c8fa149e0bb5fe3aec97812df9fa8
Static task
static1
Behavioral task
behavioral1
Sample
93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exe
Resource
win7-20220414-en
Malware Config
Extracted
remcos
1.7 Pro
sales
178.175.138.219:200
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
microsoft
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_yyaopwkkmmuwfrk
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c
-
Size
267KB
-
MD5
af36518f0a97d140dfcd5afbb9740d8a
-
SHA1
3b8c31dcf501d7e93bf6b3e5ffaf1638942cd47c
-
SHA256
93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c
-
SHA512
95cff48acc0e72127f096b0d66d97299433a9a13e4f322195754bd59cef689badf1ec7f447dc3dd25b36cfde665a05c7251c8fa149e0bb5fe3aec97812df9fa8
-
Modifies firewall policy service
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-