General
-
Target
33-0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618.zip
-
Size
770KB
-
Sample
221013-q29r8agabj
-
MD5
1d97513f9869758456a5b907892cd094
-
SHA1
72ccf0214d29ad7b5f6345bab66240a6646427ba
-
SHA256
15997878094935d032953d1d73e84519c39c335c1e6711b23891f7ffcb58e08f
-
SHA512
0d164c6e8267ca4bc1ac07edf4aa17b0b20c8f7eec7957c3447aba0337ac283f88d9e4d11e59ccb9c45709c3b2ce6e3a6ba5aecbbd1f457935b98ddcd47ac9ec
-
SSDEEP
12288:P4yCBj1ws9+Ct4DLfxIMJeI43lhGcP2BZTNT1emejDjUL6YLW0xIbxMl8bnF:P47BGsAxoI43lhGpB1eme/sdWBd7F
Static task
static1
Behavioral task
behavioral1
Sample
0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
remcos
XP
xpremcuz300622.ddns.net:3542
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
oos.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Remcos-MMP2I7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
kkl
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618.exe
-
Size
835KB
-
MD5
0caf4f8bc47dc7226740d023f654e937
-
SHA1
eea58b2403f0aaf088b272b948eeaaf6f87009cc
-
SHA256
0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618
-
SHA512
3cacca879960ca9b9c12fd0bdd72c81b98601c33d531fb24bb259d6c45f09f23e1f6a5a0720af5236d2239d83b62eaf315bd1b39e9ed67a73828318f1155e268
-
SSDEEP
12288:rEVv2iNsAJ8YQNb4tQ3y/Q7AJFGWYKJH0bOt1BNvn1C0XtaPwL/UL6hDRgkADe:YF1nCNb4ucQ0JbY83nvn1C0UMg6hDRj
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-