General
-
Target
a2c8392f47662eb08f743b75912fe84a.exe
-
Size
434KB
-
Sample
230207-jvzkcaac84
-
MD5
a2c8392f47662eb08f743b75912fe84a
-
SHA1
6c15b308b41065a646bff69ce629efe8b673e6cc
-
SHA256
d1937bc0326abde4ce4a9f3cac4fac05de2926bfec9be2ea40200b9682bebe30
-
SHA512
28737d5f8917262f4694d7ca8b6159e59a61f872998aff2a4c596bd2715ca976db7e40678e8124e50aa6dc5bec9d648b667a1aefb93027048801ba0653c24c44
-
SSDEEP
12288:olUMX5Lyl/bvlQkJYJTN9Z+pcHFx5kjIKhP7:ohLq/bvlQkJYJBzYcHFxGd
Malware Config
Extracted
remcos
R43-REL2
solo.chessregister.rss-search.anondns.net:8443
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
40
-
connect_interval
16
-
copy_file
_echosoftwarelic.exe
-
copy_folder
.echosft
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
dd4226cbf.dat
-
keylog_flag
false
-
keylog_folder
.monosvc
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
EchoRm-LRL5TG
-
screenshot_crypt
true
-
screenshot_flag
false
-
screenshot_folder
fstlock
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Echo Comm
-
take_screenshot_option
true
-
take_screenshot_time
6
-
take_screenshot_title
Account;Payment;PayPal;License;Activation;Client;Banking
Targets
-
-
Target
a2c8392f47662eb08f743b75912fe84a.exe
-
Size
434KB
-
MD5
a2c8392f47662eb08f743b75912fe84a
-
SHA1
6c15b308b41065a646bff69ce629efe8b673e6cc
-
SHA256
d1937bc0326abde4ce4a9f3cac4fac05de2926bfec9be2ea40200b9682bebe30
-
SHA512
28737d5f8917262f4694d7ca8b6159e59a61f872998aff2a4c596bd2715ca976db7e40678e8124e50aa6dc5bec9d648b667a1aefb93027048801ba0653c24c44
-
SSDEEP
12288:olUMX5Lyl/bvlQkJYJTN9Z+pcHFx5kjIKhP7:ohLq/bvlQkJYJBzYcHFxGd
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-