General
-
Target
RtJT2FrE.exe
-
Size
128KB
-
Sample
220810-yldnvagce4
-
MD5
648e9dc18a8bd5dda03ca12f4f2768e7
-
SHA1
efaefb940f47210dd0a3e9483aede0d9d5ce8a52
-
SHA256
e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
-
SHA512
6fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
Behavioral task
behavioral1
Sample
RtJT2FrE.exe
Resource
win7-20220718-en
Malware Config
Extracted
remcos
2.5.0 Pro
system
213.152.161.40:8733
109.202.103.170:8733
213.152.162.89:8733
213.152.162.109:8733
213.152.161.239:8733
213.152.162.69:8733
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
sys.exe
-
copy_folder
sys
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
system
-
keylog_path
%WinDir%\System32
-
mouse_option
false
-
mutex
system-UQU82S
-
screenshot_crypt
true
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%WinDir%\System32
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
https://online.mbank.pl/pl/Login;https://login.ingbank.pl/mojeing/app/#login;https://www.pekao24.pl/;https://online.santanderconsumer.pl/Authentication/;https://orangefinanse.com.pl/or/Login;https://login.aliorbank.pl/;https://www.ipko.pl/;https://secure.getinbank.pl/#index/index;https://www.bankmillennium.pl/logowanie;https://www.ideabank.pl/logowanie;https://www.bosbank.pl/#;https://www.bankbps.pl/;https://plusbank24.pl/;https://www.citibankonline.pl/apps/auth/signin/;https://e-bank.credit-agricole.pl/;https://moj.raiffeisenpolbank.com/;https://login.bgzbnpparibas.pl/login/Redirect?SAMLRequest=fZDBTsMwDIZfpcp9bdoG2lltpQouk%2BDCEPe09bZKbRJiB008PWET0uDA0fb3%2FZbdkF4XB33gk3nB94DEyXldDMFl0IrgDVhNM4HRKxLwCPv%2B%2BQmKVILzlu1oF3Gj%2FG9oIvQ8WyOS3WMryvupVnlZTbqUoyoHuVWYq8MW1aEqsFQieUNPEW9FtKNDFHBniLXh2JJ5vZHbTSFf8wLyCu5qkfQ%2FGx6sobCi36P%2FmMdoTXhuRQzpmf08BMYrMZvjX6Rrvi%2BByzbfnZgdZJlbtEFOh%2BPnYJzTMUJT6pYmu2Wv1e9%2Fdl8%3D;https://konto.toyotabank.pl/auth/login.jsp;https://online.eurobank.pl/nbi/bezpieczenstwo/logowanie;https://www.deutschebank.pl/;https://www.pocztowy.pl/;https://www.t-mobilebankowe.pl/;
Targets
-
-
Target
RtJT2FrE.exe
-
Size
128KB
-
MD5
648e9dc18a8bd5dda03ca12f4f2768e7
-
SHA1
efaefb940f47210dd0a3e9483aede0d9d5ce8a52
-
SHA256
e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
-
SHA512
6fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
-
Modifies WinLogon for persistence
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-