General
-
Target
envifa.vbs
-
Size
160KB
-
Sample
231201-p4ngbshh79
-
MD5
992d2c66316af1b90244897b4bb0176b
-
SHA1
6f8f603ec70ff0343e718073efcee39b77392889
-
SHA256
536518586a4aa645bac5280e49b83d2aaedb223ad721032fa0710f58a3b1cbc7
-
SHA512
e1848d23d21a8d9cf9c1f6bdecec6d588b255b2a254dd66fcfc22d108953437fd299c27a469996a5f5bdb4443c8d415e69db2e5c74df58dd4e977335208add39
-
SSDEEP
384:g+Sl2MmhYC9Mfzjp8Q8t8l8o8o8o8o8o8o8o8o8o8o8o8o8o8o8o8o8f898X8o8R:g+SlqeTfz6+fd
Malware Config
Extracted
remcos
RemoteHost
remccoss2023.duckdns.org:4576
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-E5ZBB0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
envifa.vbs
-
Size
160KB
-
MD5
992d2c66316af1b90244897b4bb0176b
-
SHA1
6f8f603ec70ff0343e718073efcee39b77392889
-
SHA256
536518586a4aa645bac5280e49b83d2aaedb223ad721032fa0710f58a3b1cbc7
-
SHA512
e1848d23d21a8d9cf9c1f6bdecec6d588b255b2a254dd66fcfc22d108953437fd299c27a469996a5f5bdb4443c8d415e69db2e5c74df58dd4e977335208add39
-
SSDEEP
384:g+Sl2MmhYC9Mfzjp8Q8t8l8o8o8o8o8o8o8o8o8o8o8o8o8o8o8o8o8f898X8o8R:g+SlqeTfz6+fd
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-