General
-
Target
Invoice.zip
-
Size
326B
-
Sample
231123-n316cshe78
-
MD5
0133fe023b7b4d6aa6ab22c30e1dc060
-
SHA1
e9c372333e30faae0d102846e0d89f889d20ae85
-
SHA256
79e0fcb3dba988510f42059372ddd0cc77723aba3ed40d7220ca44467e790b6e
-
SHA512
49c8971c94b25f13855f4c507698fb401bce983a2dd5f996bb715473174804bfea3f9d221686ff87fa4b1abb7ced3f06db23f0f4df3d2ae0c8669bb10699dff1
Malware Config
Extracted
remcos
RemoteHost
listpoints.online:6090
retghrtgwtrgtg.bounceme.net:3839
listpoints.click:7020
datastream.myvnc.com:5225
gservicese.com:2718
center.onthewifi.com:8118
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
explorer.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-BXAQVH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Invoice.url
-
Size
198B
-
MD5
90962de04e13d0f8e7b96a094ec6b77a
-
SHA1
4907eebd8f643e128a3c597ebe7dd0d302d9ff04
-
SHA256
b13b262720b806604e486ff0022ac3ebdd2f67484e5c9c53326c8ffde3d7f9a7
-
SHA512
c2b7d016c170d8adbbce57c17cba32da64ff51527c4b5375bf5f7c885c3033a55e4e859091979e03420a010a9b90cddc31e2c72000732b66fba4904952e2e902
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-