General
-
Target
1dc2d94462f30e8f97c740a578056634809f9bfef4e38d0c887fce98c2284c03.txt
-
Size
332KB
-
Sample
230322-s43sssbe9v
-
MD5
00f7977e2833fcc4edfd13f978d2e9c9
-
SHA1
28e184a2233a7cafd447a5b5c668c4fb29ca541c
-
SHA256
1dc2d94462f30e8f97c740a578056634809f9bfef4e38d0c887fce98c2284c03
-
SHA512
a24bb76cd0427c6ec0c2dd63c81b02f20bd174092f047e8c5e1f671b4d4b79fa99305fbb3c31c978360c43eabb1e2d267d4832da85c48bd1fdf1acc3251c0af7
-
SSDEEP
6144:/wtxlALTaOJXIkz8n9GM2VHn7wPDXLR/RkrEv/et4BIuIbLU+Kxa7xnu:/+efaOJXIb9GMgnoXLR/urIWqn0+P
Static task
static1
Malware Config
Extracted
remcos
Popads1
15.235.53.10:3005
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-TOMSMO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
1dc2d94462f30e8f97c740a578056634809f9bfef4e38d0c887fce98c2284c03.txt
-
Size
332KB
-
MD5
00f7977e2833fcc4edfd13f978d2e9c9
-
SHA1
28e184a2233a7cafd447a5b5c668c4fb29ca541c
-
SHA256
1dc2d94462f30e8f97c740a578056634809f9bfef4e38d0c887fce98c2284c03
-
SHA512
a24bb76cd0427c6ec0c2dd63c81b02f20bd174092f047e8c5e1f671b4d4b79fa99305fbb3c31c978360c43eabb1e2d267d4832da85c48bd1fdf1acc3251c0af7
-
SSDEEP
6144:/wtxlALTaOJXIkz8n9GM2VHn7wPDXLR/RkrEv/et4BIuIbLU+Kxa7xnu:/+efaOJXIb9GMgnoXLR/urIWqn0+P
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-