General
-
Target
E2827807D8E056C645EBBB2CD10D32E8F3EE371494E2CBE4E56D56E94846F804
-
Size
1.2MB
-
Sample
221213-2rs79sgg77
-
MD5
9ce28f7b9302ecc41c61ec9b2872f6e9
-
SHA1
1aaea0f20bd56da3226ff00e342cad7ff8bf9873
-
SHA256
e2827807d8e056c645ebbb2cd10d32e8f3ee371494e2cbe4e56d56e94846f804
-
SHA512
ed1e5592d40f5a2947579e00f28d85fc781e9bc896333e237024b37feda1ad3ec303d111d9a6e26d14006e802c2b56056dcaab815c9fc43f45122256a256813d
-
SSDEEP
12288:wAqJCwkCNDLOTC+PpCbDAY/XOo0KsBFz294T+4o:7qJC3aOTC+PpCQjogC94T+
Static task
static1
Behavioral task
behavioral1
Sample
HR13.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
HR13.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
remcos
awa
gdyhjjdhbvxgsfe.gotdns.ch:2718
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-J6C5A7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
HR13.EXE
-
Size
540KB
-
MD5
09c8a4ec0abd5727a322511a1eb3c853
-
SHA1
e0b7508f08e39e1cd2585ae8d7693f430a6a60c4
-
SHA256
24ad92f2caa93cca887c6a2f81dc32a08d3f7e01f1e5939f519a9beb2b4db50f
-
SHA512
ec91771ca6ccf7e8c0f7a0ce307558b6fc70bb4dbc73d82aa656fe1c92c71da28a9d0561f01f01b344e4ab9d9c42c93b0c7c847d14003a85c49f12de4d2650da
-
SSDEEP
12288:WAqJCwkCNDLOTC+PpCbDAY/XOo0KsBFz294T+4oj:JqJC3aOTC+PpCQjogC94T+v
Score10/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-