General
-
Target
ff98b8da0fc33f048d672f8c46fe2a7103215a5c96087bf705602d0984bf6608.zip
-
Size
778KB
-
Sample
230321-r4qmssbd89
-
MD5
7940e70aaf4c5f91a9e6ab068b6916ac
-
SHA1
03b8c33447a4ee5d5e4d17c7cbf7828413838d35
-
SHA256
3bfdf3a12d5a07c43b210b633df6fbdcd5b2f020b30376b4aa450f79d02e511f
-
SHA512
d4854f59e7ab61f5650579f43524479030e8cdcd22f745747589a91692ebc2be59878b80f3d32c71ece082390c1540383aad57148e519054888fdba3b84fe5b2
-
SSDEEP
12288:K+qFTmSx8MRwpFb+0zH+H1YFcclaAJsl6Jdli3r/Rs6XDdcn1uCDkHiAYPN6n1:KlOD+weHTqPwe6XDKn1uCen1
Static task
static1
Behavioral task
behavioral1
Sample
Order Specification PDF.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Order Specification PDF.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
RemoteHost
51.75.209.245:2406
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-52YOYG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Order Specification PDF.exe
-
Size
917KB
-
MD5
01a79d7d8926e913bce1218c60f65ef0
-
SHA1
23f333779045ebaf0e2982ce27e9c45518187df9
-
SHA256
56fc6644385db6a7e927858e276af6f8e6a33302f82bde48633975ba452954a2
-
SHA512
0c6c3706c704b1bcb9d2a8c5fa5c363c31d40ba854bf1b761b2585c4edb2b0aefddf51ecc720eb1b0b01d5e442d8647eba21856e49e2478533b4b9ffa98a96a2
-
SSDEEP
24576:WyOVQiM5+tLYjcggbvs5ApLcPKtqg0YJe1Y:WLQR+tLYotzFLcPpYJ4
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-