General
-
Target
52cd7be7efd8e79b7b6858ea23f0693e2fefdf5f903fe961b271873ddc924ff7
-
Size
475KB
-
Sample
230318-vsnkvada63
-
MD5
161f3aae8e9907b33cbd59c7f01c1840
-
SHA1
cd818470eaff911027b2c8834561f83b725af8e9
-
SHA256
52cd7be7efd8e79b7b6858ea23f0693e2fefdf5f903fe961b271873ddc924ff7
-
SHA512
63f7ae2013c8bc5c3a5403683e162d5aa32dd6eff9ef2035aa09254b55c79ef9e9f8fb7257a22c2b0fd912ca0a4b63273aa9d016e916bac7263774f55ff5b0fb
-
SSDEEP
12288:JjdAK8wxqkXuxOqLXO3X2orpbKs/ZglBRq:XA3wxqkXuxOq+rpbRZO
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-NB4WGA
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
52cd7be7efd8e79b7b6858ea23f0693e2fefdf5f903fe961b271873ddc924ff7
-
Size
475KB
-
MD5
161f3aae8e9907b33cbd59c7f01c1840
-
SHA1
cd818470eaff911027b2c8834561f83b725af8e9
-
SHA256
52cd7be7efd8e79b7b6858ea23f0693e2fefdf5f903fe961b271873ddc924ff7
-
SHA512
63f7ae2013c8bc5c3a5403683e162d5aa32dd6eff9ef2035aa09254b55c79ef9e9f8fb7257a22c2b0fd912ca0a4b63273aa9d016e916bac7263774f55ff5b0fb
-
SSDEEP
12288:JjdAK8wxqkXuxOqLXO3X2orpbKs/ZglBRq:XA3wxqkXuxOq+rpbRZO
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-