General
-
Target
PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.tar
-
Size
1.2MB
-
Sample
230323-1hta8scc7s
-
MD5
ca5cc907fa719d1b16bb9cd3870dff1b
-
SHA1
ad70bbee108cddae13f9763c793a67a6d6671781
-
SHA256
821c137ee343264e8c8c30161091cd61d63069371e4f6cb2c7131ed930426b5e
-
SHA512
b33c09dea3529019d1188c416811f4ec34328c5eeca84907af817bfdb06d4b7ca1e057e578f79d636250383399b00bbdf552b61767c58126145ddb633ff73298
-
SSDEEP
24576:YKXdBsLfg/rhl+D2h3tGia/vE1zEgk9OgPQJOLRpOfvwFq9B20HrLY0o0cw:YKmfg/rhUD2h3kC1AfFPKOLcvwcD2097
Static task
static1
Behavioral task
behavioral1
Sample
PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe
Resource
win7-20230220-es
Behavioral task
behavioral2
Sample
PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe
Resource
win10v2004-20230220-es
Malware Config
Extracted
remcos
RemoteHost
marlonloperalora09.con-ip.com:1995
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-L3LNUT
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe
-
Size
1023.9MB
-
MD5
9d702008371d20fdd562bcda16e5980c
-
SHA1
2cdd65d525020bb353d7e53d8a1ee61263985849
-
SHA256
c53c37ade6c06b4813220a9e776b0b45e45e6eeffd2a09f6b633eef45868abdd
-
SHA512
ebdcc4d65fd92b5ff773f77ca689b8aa4e0d0366211b432a85ca0db652000ba9d4a215b99173ab884f8a8b35c1ac5182c48ef2a91ab908915b3ad06a5c0abf90
-
SSDEEP
12288:Of0zcQzKT8oQo2p2vS0gALQN58cPD8f6r0OU2yJI0FSJr1rziqLcyFxfp:OqKQN/p2vSNycPgs0OU2yJpFSTWexh
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-