General
-
Target
docs.img
-
Size
2.4MB
-
Sample
230323-zdp8caaa52
-
MD5
26b6d8482b3210eecb90af0ddbf2a014
-
SHA1
651aaffc2bfb4d4dc5ade2c853799d9329c365e6
-
SHA256
b26eb6fc92a2fc26739a203efd160fadbfb52c74d67eae4938e8d3d821e280c6
-
SHA512
9db53d717fb7d0309c8cd71bbeb6646810c12a4b2f0be971b2235f61ef45690bdd16aa23508bab8a448738cbe5e8098316a88d1f94ffa01bb4357c72cd1fe1b1
-
SSDEEP
24576:33HAfWxfLwk0u2QynLyw//0gLTi+hxAL0CD2iFGo1V8nJp5bN+Zr3GiK3CvbRNOU:3jwR0nLkiRYr+Zr2iK3CvbRNO/j
Static task
static1
Behavioral task
behavioral1
Sample
DOCS.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DOCS.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
2.7.1 Pro
RemoteHost
march4great.ddns.net:2409
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-PV9ZM8
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Targets
-
-
Target
DOCS.exe
-
Size
2.4MB
-
MD5
072ae884ff0b7f872b2d096c6f56cd8f
-
SHA1
ed6fe1c2cf2ade73266d7110bcc24d9b26651aa0
-
SHA256
060c14947ec75ce9817f7be911534e3e15a797dc17680acc2f05d8afbffdc1c1
-
SHA512
d8949a16c6b2b305345d73652ccdbe125eb4eb0a14a2811b0618f91717436fd61bfa5475846c7e4af93dc638c309bfea3c5ef6ecbcfe08aeaef5d98da16133b5
-
SSDEEP
24576:F3HAfWxfLwk0u2QynLyw//0gLTi+hxAL0CD2iFGo1V8nJp5bN+Zr3GiK3CvbRNOU:VjwR0nLkiRYr+Zr2iK3CvbRNO/j
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-