General
-
Target
Roshan Basnayaka CV_1.xz
-
Size
863KB
-
Sample
230125-n4q2safh74
-
MD5
d2e33e372b199abb6f30afb3ae157eeb
-
SHA1
ab16a88d0947e0322d4926bf70653ff411677015
-
SHA256
08b1feef06418988ebe21c6b47c7a0d9b593d5de5ae65f23c41c7092006d2261
-
SHA512
b42af2a3270adac70cbeab80a1d4396fb3b995172a4eefc89392e22678283020112fadccd4b093dba41e9194056bed7d2006cf226d86b165c4beffc99cffe6c8
-
SSDEEP
24576:ef4XG9y6Y9Tijb/z47hMGXXlYH3HPdGKkvU2XJfvEJq4:PXGYj9TAb/8VpxKkvUKfvEJR
Static task
static1
Behavioral task
behavioral1
Sample
Roshan Basnayaka CV.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Roshan Basnayaka CV.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
remcos
XP
xpremcuz300622.ddns.net:3542
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
oos.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Remcos-MMP2I7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
kkl
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Roshan Basnayaka CV.exe
-
Size
1017KB
-
MD5
b1d073104bbfc0210465938d4d83cab3
-
SHA1
3d56e396ec24127071e94226c4d5b654ffe3afc2
-
SHA256
32c38d159ca596fc6f8696c7462299312a8b243dd4ea75086946494f5c5cd801
-
SHA512
e797a37a74182b6a330874cb8616a341c5b8c6f736c9d0597e49bc8f5abf99a0bfa0b5f6a5578cb7bd6b1d557dfa7bac3d041ef30c1b42ffce1848ff8d3435f0
-
SSDEEP
24576:fK9SwdINS9riJ77z47hiGZXJkHrxPdIKkQ2FL:6H9r0778VdzKkQQL
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-