General
-
Target
f6x8LJCP.exe
-
Size
128KB
-
Sample
220810-yh4e4agcb7
-
MD5
da88c3cc6dbd042b0971b5951d6fb5f4
-
SHA1
d972b5f0d29ebd6db596c607434bf930ab822d48
-
SHA256
56b9e1a9f0704305007504a26661905930387fc49d0fb0f9938d28fd1d46e60a
-
SHA512
e747435ce57b90f0d9c574192c6c87f0aa9143304a764f847bf1566956fa179a350e75957f353692d060d186815a28554dde917b4229fd4155a9abf169984206
Malware Config
Extracted
remcos
2.7.0 Pro
defender
2.tcp.ngrok.io:17041
-
audio_folder
Micdefender
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
defender.exe
-
copy_folder
defender
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
defender
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-FZLLSK
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
defenderscrsh
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Defender
-
take_screenshot_option
true
-
take_screenshot_time
185
-
take_screenshot_title
gmail, facebook, twitter
Targets
-
-
Target
f6x8LJCP.exe
-
Size
128KB
-
MD5
da88c3cc6dbd042b0971b5951d6fb5f4
-
SHA1
d972b5f0d29ebd6db596c607434bf930ab822d48
-
SHA256
56b9e1a9f0704305007504a26661905930387fc49d0fb0f9938d28fd1d46e60a
-
SHA512
e747435ce57b90f0d9c574192c6c87f0aa9143304a764f847bf1566956fa179a350e75957f353692d060d186815a28554dde917b4229fd4155a9abf169984206
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-