General
-
Target
ödeme belgesi.exe
-
Size
1.1MB
-
Sample
230323-r5vyxaac4w
-
MD5
243246dbeb1aa00dc9a83d72e6b3f1b4
-
SHA1
afcd9f5b22fdc2c06c80d44b259caae356931d96
-
SHA256
341185818150baf930d9c84730c53eb6e0b5a392431283089c830c379b3aed0f
-
SHA512
9dc6dcc31c0f40f1ea818506120198e84366606d3594d06f54a2f87bc894629de2425ceb9362663039bc7cfe5b963fc308af0cc99df84f35e3c99dbb06ad2f4c
-
SSDEEP
12288:XplvK1e/1kQ2G1LskHNIuLqfts2xnKiQmM6iM8VzgL4MycvGjrT5epSPcd26e:XpGotIuO9k/mTPIwyc80pZe
Static task
static1
Behavioral task
behavioral1
Sample
ödeme belgesi.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ödeme belgesi.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
RemoteHost
top.thekillforabuse1.xyz:1068
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-JRKBG9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
ödeme belgesi.exe
-
Size
1.1MB
-
MD5
243246dbeb1aa00dc9a83d72e6b3f1b4
-
SHA1
afcd9f5b22fdc2c06c80d44b259caae356931d96
-
SHA256
341185818150baf930d9c84730c53eb6e0b5a392431283089c830c379b3aed0f
-
SHA512
9dc6dcc31c0f40f1ea818506120198e84366606d3594d06f54a2f87bc894629de2425ceb9362663039bc7cfe5b963fc308af0cc99df84f35e3c99dbb06ad2f4c
-
SSDEEP
12288:XplvK1e/1kQ2G1LskHNIuLqfts2xnKiQmM6iM8VzgL4MycvGjrT5epSPcd26e:XpGotIuO9k/mTPIwyc80pZe
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-