General
-
Target
Request_For_Quote(1).img.iso
-
Size
1.4MB
-
Sample
221101-xfr4lsecb9
-
MD5
801abea04a6326aceee2c50fa574aa1b
-
SHA1
e4c5c3739e2d694ab685d2ce822f90c8b59579ae
-
SHA256
c15faefe36124624292ccddfb64d743c3f7bb1cab2788d09edd0b496af9c8512
-
SHA512
dd1694424aaa2b7899c4b1587b88475c8fb7516b9dac4fdfc8294e324cd4912d19bf55cde286da22b681fd6259ea8956ee60531fa82cc1d62f1526d2730f0616
-
SSDEEP
12288:GEVv2iNsAJ8YQNb4tQ3y/Q7AJFGWYKJH0bOt1BNvn1C0XtaPwL/UL6hDRgkADe:lF1nCNb4ucQ0JbY83nvn1C0UMg6hDRj
Static task
static1
Behavioral task
behavioral1
Sample
REQUEST_.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
REQUEST_.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
remcos
XP
xpremcuz300622.ddns.net:3542
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
oos.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Remcos-MMP2I7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
kkl
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
REQUEST_.EXE
-
Size
835KB
-
MD5
0caf4f8bc47dc7226740d023f654e937
-
SHA1
eea58b2403f0aaf088b272b948eeaaf6f87009cc
-
SHA256
0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618
-
SHA512
3cacca879960ca9b9c12fd0bdd72c81b98601c33d531fb24bb259d6c45f09f23e1f6a5a0720af5236d2239d83b62eaf315bd1b39e9ed67a73828318f1155e268
-
SSDEEP
12288:rEVv2iNsAJ8YQNb4tQ3y/Q7AJFGWYKJH0bOt1BNvn1C0XtaPwL/UL6hDRgkADe:YF1nCNb4ucQ0JbY83nvn1C0UMg6hDRj
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-