General

  • Target

    2728-6-0x0000000000400000-0x000000000048A000-memory.dmp

  • Size

    552KB

  • MD5

    8b0b8c43c8256d08be6eeb559c2e6f8f

  • SHA1

    8c732ccf67b0a733e8db113fe0516323145eac1f

  • SHA256

    9d0b29b89a45ce4006f11365723b614351f7d636c62a9adfd2631dca4779f1e0

  • SHA512

    60f3883755fabf6953176879a340fad5da589054cb29dc1b3147cd4403134fc2b81e5a58c03e6fab10b2be6831ec94608dc5aef8b0d85828da2b4cd3293962e8

  • SSDEEP

    6144:N/7iPrcL3ArwhBq7Kjsn9iHGXg0lwGS9MNNhdFvPxps9zsAOZZuAXiKj:N/uPq3AfK496Gw0lwGXN3p4s/Zu

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost (em ingl�s)

C2

0.tcp.sa.ngrok.io:12792

Attributes
  • audio_folder

    MicRecords (em inglês)

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-6BINQM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Capturas de tela

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos family
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • 2728-6-0x0000000000400000-0x000000000048A000-memory.dmp
    .exe windows:5 windows x86 arch:x86


    Headers

    Sections