General
-
Target
IUVR-8403-8402-2023._patched.exe
-
Size
1.2MB
-
Sample
230323-x7tfrabf61
-
MD5
898190d53ed165a6f08d0b2e1af9bfe0
-
SHA1
cce3350bd6479aad0a4533401d875ec047c5f5d8
-
SHA256
8bbc5bd45c06cfb409bea5431cb5e876633cd2b30730f6d2ccd0b5cb36616826
-
SHA512
f88e1ebd8e35945653824ace11d5ab85e7c33b7db876bd0e0cd2925beece608e2033144dbad4a6a3fa5d58425c8bbb9da74af03ce7bd4608ab26b0d7c3a139f2
-
SSDEEP
6144:AxjCbYJafbpsBSM/HVFku/7AGLr5lw2H3SgoXraFjvVpQ+QW8uR3OoJWwvTTZlIY:+PozpsBzkuHPgDsvELuv7ZlIgCjIDF
Static task
static1
Behavioral task
behavioral1
Sample
IUVR-8403-8402-2023._patched.exe
Resource
win7-20230220-en
Malware Config
Extracted
remcos
BILLETE
cactus.con-ip.com:7770
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-9927QM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
IUVR-8403-8402-2023._patched.exe
-
Size
1.2MB
-
MD5
898190d53ed165a6f08d0b2e1af9bfe0
-
SHA1
cce3350bd6479aad0a4533401d875ec047c5f5d8
-
SHA256
8bbc5bd45c06cfb409bea5431cb5e876633cd2b30730f6d2ccd0b5cb36616826
-
SHA512
f88e1ebd8e35945653824ace11d5ab85e7c33b7db876bd0e0cd2925beece608e2033144dbad4a6a3fa5d58425c8bbb9da74af03ce7bd4608ab26b0d7c3a139f2
-
SSDEEP
6144:AxjCbYJafbpsBSM/HVFku/7AGLr5lw2H3SgoXraFjvVpQ+QW8uR3OoJWwvTTZlIY:+PozpsBzkuHPgDsvELuv7ZlIgCjIDF
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-