General
-
Target
1.exe
-
Size
36KB
-
Sample
230218-sp819sce77
-
MD5
955254331ec1b57550742ed9b353b00f
-
SHA1
3a00c062489de5371742bc5eca43ae8ec32affac
-
SHA256
e088712c8943c56456635938bc9668f0ca0724086525de9dc736ae5e77ee17a0
-
SHA512
5e1aa13cf78fe3d6bfbc15eb2155dad30f0a6e6ea533df7f34ab06eb85ab87fa225c313753fc1886770c9990f2e87400fbfa7bea9a557f9f2acec8d3481b4d70
-
SSDEEP
768:P5PHyCjmhFdWfLubuZ1kvIaEekM2C8cZNr1:P5PHfjGPAKbLVUer
Malware Config
Extracted
remcos
1.7 Pro
1877
hawler.duckdns.org:2404
5.206.227.115:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
svshost.exe
-
copy_folder
1877
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
1877
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
1877_spelzoyulk
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Google Update
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
1.exe
-
Size
36KB
-
MD5
955254331ec1b57550742ed9b353b00f
-
SHA1
3a00c062489de5371742bc5eca43ae8ec32affac
-
SHA256
e088712c8943c56456635938bc9668f0ca0724086525de9dc736ae5e77ee17a0
-
SHA512
5e1aa13cf78fe3d6bfbc15eb2155dad30f0a6e6ea533df7f34ab06eb85ab87fa225c313753fc1886770c9990f2e87400fbfa7bea9a557f9f2acec8d3481b4d70
-
SSDEEP
768:P5PHyCjmhFdWfLubuZ1kvIaEekM2C8cZNr1:P5PHfjGPAKbLVUer
-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Modifies WinLogon
-
Program crash
-
Suspicious use of SetThreadContext
-