General
-
Target
Fully Singed Aggrement.xlsx
-
Size
742KB
-
Sample
221028-qxx8mafff3
-
MD5
f7afc6233a1a8e0607449a7552748722
-
SHA1
2c448ddfddb4b1c0481698d5181b6295633e1777
-
SHA256
fa167d133cb53da59f334ef6b12b264ef4e716a595084b6f922c4e447ea3def0
-
SHA512
2609c7ff2590ab5a1987462045b6e92188d52724fc0ddb91f6365e0446ccf2c9381de014893a9b1f77a454967de1e128aae725b6e3be99474d2b8c3e60cc3a51
-
SSDEEP
12288:38TesV8h7Hsh1mYDQlH4Fg4c6E3/pJ+QBC81JdzBffAHmZ76WW+y6ATWDmDjiYj:3OEzsh1msQlH74YpMiC81rJbbATb1j
Malware Config
Extracted
remcos
XP
xpremcuz300622.ddns.net:3542
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
oos.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Remcos-MMP2I7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
kkl
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Fully Singed Aggrement.xlsx
-
Size
742KB
-
MD5
f7afc6233a1a8e0607449a7552748722
-
SHA1
2c448ddfddb4b1c0481698d5181b6295633e1777
-
SHA256
fa167d133cb53da59f334ef6b12b264ef4e716a595084b6f922c4e447ea3def0
-
SHA512
2609c7ff2590ab5a1987462045b6e92188d52724fc0ddb91f6365e0446ccf2c9381de014893a9b1f77a454967de1e128aae725b6e3be99474d2b8c3e60cc3a51
-
SSDEEP
12288:38TesV8h7Hsh1mYDQlH4Fg4c6E3/pJ+QBC81JdzBffAHmZ76WW+y6ATWDmDjiYj:3OEzsh1msQlH74YpMiC81rJbbATb1j
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-