General
-
Target
KHIDMM221613.xlsx
-
Size
124KB
-
Sample
221101-xgbs1sfaeq
-
MD5
1c33ebd9123fbb1d445a1241d0899fca
-
SHA1
a4b1a16cadffd00f3a9d349ff9a3a4e598a6f25a
-
SHA256
04a944a2b7b278081d3bbe43843fb395f30d8bd190154cbdf9b04fcebf8b7ae3
-
SHA512
dede0f56ccfad169862581a2395f639ddc16447735bf11aadd125bf2878547a5d5c862ecddc9cfcd4944f0065edb8c8b45876b8fc4911d4cebcbbbde4702653b
-
SSDEEP
3072:1n0u1fkHlAw95+2qXg99hpWH3Cv28psaTbQHVSSz0:90uJkFAFXWbu3CvZc1e
Malware Config
Extracted
remcos
FRESH bangs
aryexpcrt.ddns.net:3216
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-EL21LG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
KHIDMM221613.xlsx
-
Size
124KB
-
MD5
1c33ebd9123fbb1d445a1241d0899fca
-
SHA1
a4b1a16cadffd00f3a9d349ff9a3a4e598a6f25a
-
SHA256
04a944a2b7b278081d3bbe43843fb395f30d8bd190154cbdf9b04fcebf8b7ae3
-
SHA512
dede0f56ccfad169862581a2395f639ddc16447735bf11aadd125bf2878547a5d5c862ecddc9cfcd4944f0065edb8c8b45876b8fc4911d4cebcbbbde4702653b
-
SSDEEP
3072:1n0u1fkHlAw95+2qXg99hpWH3Cv28psaTbQHVSSz0:90uJkFAFXWbu3CvZc1e
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-