General
-
Target
08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12.exe
-
Size
975KB
-
Sample
230608-nqkmvaeh45
-
MD5
b09d8da41c25dbe44e71bc2bc16de91c
-
SHA1
1cf249eb79d02549059cb377ed38f5505e262229
-
SHA256
08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12
-
SHA512
f5e8295989f03f955152fd1f91b44d47fd317c61e05abb3b5e50abc16975f45c0e29cc5f3e00e2a6c2a48856421bae59e550567cca5e2693784a4ed6dba7be2c
-
SSDEEP
24576:05GoR5a2x18A8DNaUQUzP/F73CjyQKraEyRC5x:0Io22xCDNaUQSPp3CeQ+aVRY
Static task
static1
Behavioral task
behavioral1
Sample
08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
RemoteHost
89.37.99.49:5888
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-0VIV73
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12.exe
-
Size
975KB
-
MD5
b09d8da41c25dbe44e71bc2bc16de91c
-
SHA1
1cf249eb79d02549059cb377ed38f5505e262229
-
SHA256
08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12
-
SHA512
f5e8295989f03f955152fd1f91b44d47fd317c61e05abb3b5e50abc16975f45c0e29cc5f3e00e2a6c2a48856421bae59e550567cca5e2693784a4ed6dba7be2c
-
SSDEEP
24576:05GoR5a2x18A8DNaUQUzP/F73CjyQKraEyRC5x:0Io22xCDNaUQSPp3CeQ+aVRY
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-