General
-
Target
0f9db1a604f02ecde6b747374ad5bde6.js
-
Size
853KB
-
Sample
220907-l4hz3abga4
-
MD5
9d6cc349c5662e0943f620ce559617f1
-
SHA1
76e0c00f8814b7aed7c57bf96a2667c90e0f3f0a
-
SHA256
1ce27214924d57fcb691f35e14d48767d0879a62b1a13f2f52c9b51e05028435
-
SHA512
20399eca979b89c5cc9cf0b81a227321e92b7714ea035cdfbe97bbba39b8d33d922a9499655c3170bec33003305a111d4c5617c11098bc985b2b642ea4551d19
-
SSDEEP
12288:ioPp+y4DmZYL67Zpt0s/yFAJdlZHkpn/q7TOScuwBLJuz0aowLvFFEsYBqXu:z6KZWqZYwyFeEpCuOOwLtFEsY3
Static task
static1
Behavioral task
behavioral1
Sample
0f9db1a604f02ecde6b747374ad5bde6.js
Resource
win7-20220812-en
Malware Config
Extracted
remcos
Chinese
185.157.162.75:2222
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-WGAM8T
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
PowerPc
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
0f9db1a604f02ecde6b747374ad5bde6.js
-
Size
853KB
-
MD5
9d6cc349c5662e0943f620ce559617f1
-
SHA1
76e0c00f8814b7aed7c57bf96a2667c90e0f3f0a
-
SHA256
1ce27214924d57fcb691f35e14d48767d0879a62b1a13f2f52c9b51e05028435
-
SHA512
20399eca979b89c5cc9cf0b81a227321e92b7714ea035cdfbe97bbba39b8d33d922a9499655c3170bec33003305a111d4c5617c11098bc985b2b642ea4551d19
-
SSDEEP
12288:ioPp+y4DmZYL67Zpt0s/yFAJdlZHkpn/q7TOScuwBLJuz0aowLvFFEsYBqXu:z6KZWqZYwyFeEpCuOOwLtFEsY3
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-