General
-
Target
SZ59020_GENERAL_Makina _Sales_Order.zip
-
Size
1.6MB
-
Sample
230202-rsljpsgh61
-
MD5
52b1f058ad5b07d1cac6a7a2f4203b4b
-
SHA1
8122a6069195fbc3df88d4159560fc1f33685688
-
SHA256
effbb317ce8899536564043358e00a0703f06f5948edce75b81369223e1e64c3
-
SHA512
48aa8d1f0b58fb15441240993870e855dc03b325f12ebbfec13e9a048b3c9f1b7e819a62b36117fa7e685453525c6f956b1646d08add64ff62fe23652b4906a0
-
SSDEEP
24576:0B8fzw3HTQ3WfdMczHMepP5bYDVcbMWB55GtC0+l+OZC6K7WbWDQTKI:U8fEDrfT5UJQFnl+Og6KiCm
Malware Config
Extracted
remcos
RemoteHost
185.246.220.63:3689
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7SGYUR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
SZ59020 - GENERAL Makina - Sales Ordergpj.Scr
-
Size
300.3MB
-
MD5
c5dfc30923176ce48b7d00514dee323b
-
SHA1
3a7b7d29965a528b4a69e3104be932bfd699cb22
-
SHA256
5f431702df621711992ba38c723eac1e799d6f5499a5cc7b595edcc7ad78894d
-
SHA512
5b14971464c3a5031fd377b0e0fb838dc5ca6da682dd896f42767687e64a5e357d9b6ab6f04d6011d46e3e70911699d89ca4fdee49dd72ed759ad560c27d88f6
-
SSDEEP
24576:zTbBv5rUmlWpuLmPmcZScRCxP5zYCxINLIgiB5TGrC003Svlxi6K7KEpd9pLn:tBqamszUCx+LIhzH3Svfi6KOKd9pLn
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Detected potential entity reuse from brand microsoft.
-
Suspicious use of SetThreadContext
-