General
-
Target
7792776136.zip
-
Size
301KB
-
Sample
220729-tl7vgabhcp
-
MD5
c4623e5f274f69b0099bdda1dfc12935
-
SHA1
2e18b04676a7e1dded4096886ab987a1c5b4762a
-
SHA256
727b21d3161c37d2e70a9f367d72d41fac891153540bbebbe9cac7c13367b9b6
-
SHA512
6a6a645d87f906a0762f8ff98c8e10101483a115230e67cadb8802851718caba50b05c39c4681dc8e094b27fde68d7a02ab13317bf2f4f323c4fe720eb72bff3
Malware Config
Extracted
remcos
XP
xpremcuz300622.ddns.net:3542
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
oos.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Remcos-MMP2I7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
kkl
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
d959b480824d3f572e43bfdc6662d177353443bac3210448c8b02c9a01a3bec0
-
Size
339KB
-
MD5
80a1c58f87a5546e12d09e5cbbac80e9
-
SHA1
4e92f9231b72fd64588e07428f84463941ae7355
-
SHA256
d959b480824d3f572e43bfdc6662d177353443bac3210448c8b02c9a01a3bec0
-
SHA512
b1bd2df11b6c83aee5aabd7cd2650f9f9bb0b5979501befa478aea8a16c18e6a52fc856c834b2173565c4cf190e644ad82e750f5ca2c94456e21dd9b23a54260
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-