General

  • Target

    1896-70-0x0000000000400000-0x0000000000488000-memory.dmp

  • Size

    544KB

  • MD5

    941c6f19208c7c2f1a20589cc96a9e01

  • SHA1

    b32dbdff1a54b185d7781d2675f4ed3f2d01d977

  • SHA256

    5741990b57102f8a128b76995c4701557d0cbd013adfd0dd69fb35d3d9c282d9

  • SHA512

    25c6206806d113c94eb28a5f92245894e360752c631886ff2a27de234f511f8e1464b3a2cdf896344ab58bbe8bd05db1483df0a9035a7645f495a260335d8d65

  • SSDEEP

    6144:xAg4RVDZlHx5k7iLZnaSguI2IiRL/SISjw8nHW0R2K3g9ZsAOZZQmX45jg:xmnk7iLJbpIpiRL6I2WdKQ9ZsfZQ

Malware Config

Extracted

Family

remcos

Botnet

RemoteHostStar

C2

41.216.183.226:41900

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-0OUDX5

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos family
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

Files

  • 1896-70-0x0000000000400000-0x0000000000488000-memory.dmp
    .exe windows x86


    Headers

    Sections