General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
-
Size
10KB
-
Sample
221129-s9bw9sff9z
-
MD5
c4356d6506fed06bf83324222896e64f
-
SHA1
3932ecf0b9ae7e144180ae357cc72f05b2bb1963
-
SHA256
1f353369c80de1b1e98ded84be361263e75f56c109764fa3f5fa1d9b1df3a0c9
-
SHA512
d68f76f09183e84c729cb1f7f4d090dedf387925d7cfd80e369a89d17a13b488fb0c9fc10620da3f5d39cbad73d9ff8ac0bbefa79981f7693abe925d6b786e53
-
SSDEEP
192:ujGVmR2TsJcAALF+9kseWgN0l4TKmF8stYcFmVc03KY:uikRvJczLF+9ksxgfTKmFptYcFmVc03K
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
remcos
Remote
79.110.62.46:50499
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
windowss
-
mouse_option
false
-
mutex
fg4wer4s5trgfqewdc-WR9LLO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
-
Size
10KB
-
MD5
c4356d6506fed06bf83324222896e64f
-
SHA1
3932ecf0b9ae7e144180ae357cc72f05b2bb1963
-
SHA256
1f353369c80de1b1e98ded84be361263e75f56c109764fa3f5fa1d9b1df3a0c9
-
SHA512
d68f76f09183e84c729cb1f7f4d090dedf387925d7cfd80e369a89d17a13b488fb0c9fc10620da3f5d39cbad73d9ff8ac0bbefa79981f7693abe925d6b786e53
-
SSDEEP
192:ujGVmR2TsJcAALF+9kseWgN0l4TKmF8stYcFmVc03KY:uikRvJczLF+9ksxgfTKmFptYcFmVc03K
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-